Do Son 
Cloudflare has officially announced the complete deprecation of the insecure HTTP protocol for accessing its API. Henceforth, any attempt to connect to api.cloudflare[.]com via an unencrypted channel will be rejected outright—prior to the establishment of any connection. In effect, the server will no longer perform redirects from HTTP to HTTPS; the connection simply will not occur.
This decisive move is aimed at eliminating even the theoretical possibility of sensitive data leakage that could occur if information were transmitted in plaintext before the server had a chance to deny or redirect the request.
Previously, HTTP requests might have resulted in a 403 response or an automatic redirect to HTTPS. However, in those instances, tokens, API keys, and other confidential data could already have been sent over the wire unencrypted—a particularly perilous risk on public Wi-Fi networks, where intercepting traffic requires minimal effort.
Now, the HTTP interface has been entirely disabled, and connections via this protocol are no longer possible at the transport layer. Developers and automated systems must exclusively use HTTPS when interacting with the API. Cloudflare emphasizes that unencrypted requests will not be considered by the server—they will be rejected immediately, without any data transmission.
Cloudflare’s API is widely employed for infrastructure management tasks such as DNS record administration, firewall configuration, DDoS protection activation, cache tuning, SSL parameter adjustments, analytics access, and zero trust policy enforcement. This update affects all scenarios where HTTP may still be in use, including legacy scripts, outdated IoT devices, and tools with misconfigured protocols.
According to Cloudflare, approximately 2.4% of all internet traffic passing through its network is still transmitted via HTTP. When isolating automated traffic alone, that figure rises to 17%. These cases pose the most significant risk, as bots and legacy clients often do not default to encryption.
To assist customers who host websites through Cloudflare, the company is preparing a free tool that will securely disable HTTP traffic. Until its planned release later this year, users can monitor their HTTP-to-HTTPS ratios via the “Analytics & Logs > Traffic Served Over SSL” dashboard to assess the potential impact in advance.
This initiative fortifies the integrity of the entire Cloudflare ecosystem, reducing the risk of data breaches and fostering a more secure environment for developers and end users alike—especially crucial amid the rising tide of attacks targeting vulnerabilities in the early stages of network communication.
