Cloudflare is officially ending support for all HTTP ports for api.cloudflare.com to address potential data leakage risks caused by unencrypted traffic. All API requests are now allowed only over HTTPS, which protects API tokens from interception.
The company explains that even with automatic redirection from HTTP to HTTPS, sensitive data could be transmitted over unencrypted channels for a short time. This created a vulnerability that could potentially be exploited by attackers, ISPs, or even public Wi-Fi networks.
To prevent such threats, Cloudflare is implementing HTTP connection blocking at the transport protocol level using iptables, rather than simply using standard HTTP responses such as 403 Forbidden. This means that no TCP connection will be established at all.
At this time, the block only affects api.cloudflare.com, but in Q4 2025, Cloudflare will provide customers with the ability to disable HTTP ports for their own domains via the control panel or API.
Despite the widespread practice of redirecting HTTP to HTTPS, approximately 2-3% of real users and 16% of automated traffic still used HTTP requests to Cloudflare servers. In response to these risks, the company decided to completely abandon HTTP ports. The HTTP block also includes the gradual removal of static IP addresses for api.cloudflare.com, as well as disabling support for non-SNI clients, which account for only 0.55% of all connections.
This step by Cloudflare represents a significant increase in security across the global network, eliminating vulnerabilities associated with unencrypted API requests. In the future, the company plans to provide this protection to all its customers. Administrators are advised to monitor HTTP requests in Cloudflare Analytics before activating the block.
172 
184 
192 