Cloudflare announced today that it has closed all HTTP ports on api.cloudflare.com, taking a significant step toward eliminating the security risks associated with cleartext HTTP traffic.
The change, effective immediately, prevents sensitive information such as API tokens from being transmitted in unencrypted form before a connection can be redirected to HTTPS.
“A better approach is to refuse the underlying cleartext connection by closing the network ports used for plaintext HTTP, and that’s exactly what we’re going to do for our customers,” stated Cloudflare in their announcement blog post.
.png
)
The security concern stems from a fundamental weakness in how HTTP-to-HTTPS redirections work. Even with features like “Always Use HTTPS” enabled, the initial HTTP request contains sensitive information in plaintext before any redirection can occur.
This creates a window of vulnerability where network intermediaries—such as ISPs, hotspot providers, or malicious actors—can intercept API keys and other confidential data.
“Any API key or token exposed in plaintext on the public Internet should be considered compromised,” reads the advisory.
While HTTP Strict Transport Security (HSTS) partially mitigates this issue for web browsers, it doesn’t help with stateless API clients that don’t remember previous connection settings.
For these clients, each request potentially exposes sensitive data. Instead of handling HTTP connections at the application layer, Cloudflare is blocking connections at the transport layer using iptables firewall rules:
This approach prevents the TCP handshake from completing before any application data is transmitted, effectively closing the HTTP interface entirely.
Connections are rejected at the network level rather than through HTTP status codes like 403 Forbidden. The implementation leverages Cloudflare’s Tubular tool to bind anycast IP prefixes to TLS-terminating proxies globally and Topaz for declarative DNS management.
Disabling HTTP Port Access
While this change currently applies only to api.cloudflare.com, Cloudflare plans to make this security feature available to all customers in the last quarter of 2025.
Customers will be able to opt in to disable HTTP port traffic for their domains through the dashboard or API.
“We expect to make this free security feature available in the last quarter of 2025,” Cloudflare confirmed.
Additionally, Cloudflare is transitioning api.cloudflare.com away from static IP addresses and will discontinue support for non-SNI legacy clients, which currently account for only 0.55% of TLS connections to the API.
This move represents a more aggressive approach to HTTPS enforcement than commonly used methods like HTTP-to-HTTPS redirects.
While most modern browsers warn users about insecure connections, about 2-3% of “likely human” connections to Cloudflare’s network still use HTTP, with the percentage rising to over 16% for automated traffic.
Security experts have long advocated for closing HTTP ports entirely, but the approach has been challenging to implement at scale due to legacy clients and the technical complexities of managing millions of connections.
For administrators using Cloudflare, the company recommends monitoring unencrypted connections through the Analytics dashboard before enabling the feature when it becomes available.
This provides visibility into the volume of plaintext traffic that would be blocked. Cloudflare concludes, “We believe security should be free for all!”
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
