The Cloudflare Blog: HTTPS-only for Cloudflare APIs: shutting the door on cleartext traffic

Mar 20, 2025

—

Source URL: https://blog.cloudflare.com/https-only-for-cloudflare-apis-shutting-the-door-on-cleartext-traffic/
Source: The Cloudflare Blog
Title: HTTPS-only for Cloudflare APIs: shutting the door on cleartext traffic

Feedly Summary: We are closing the cleartext HTTP ports entirely for Cloudflare API traffic. This prevents the risk of clients unintentionally leaking their secret API keys in cleartext during the initial request.

AI Summary and Description: Yes

Summary: The text discusses Cloudflare’s initiative to close HTTP ports on their API to enhance security by preventing the transmission of sensitive data in plaintext. This proactive measure aligns with modern security practices by avoiding the risks associated with unencrypted data exposure.

Detailed Description:
– Cloudflare is implementing a security enhancement by closing all HTTP ports on their API (api.cloudflare.com) to prevent sensitive data from being transmitted in cleartext.
– The significance of this change is rooted in the vulnerabilities of HTTP where sensitive information, such as API tokens, can be intercepted by malicious actors before a server can enforce HTTPS through redirection.
– Key points include:
– Current practice allows for redirection from HTTP to HTTPS, but there’s a risk that sensitive information is exposed during that initial plaintext transmission.
– A proactive approach involves closing HTTP ports at the transport layer, thereby preventing any plaintext connection from being established before sensitive data is exchanged.
– Closing HTTP ports only on API traffic minimizes disruptions for users but effectively enhances security.
– This measure will lead to the rejection of unencrypted connections, eliminating commonly exposed credentials without reliance on post-exposure mitigation techniques.
– Cloudflare also highlights the potential challenges, including service disruptions for clients relying on automated or legacy systems that do not adequately manage HTTPS connections.

With these new standards, Cloudflare positions itself as a leader in implementing stronger security measures, advocating for substantial encryption, and ensuring comprehensive protection against data exposure. The anticipated rollout of the HTTPS-only feature is set for the last quarter of 2025, allowing customers to implement similar protections for their domains. This initiative not only improves the security posture of their API but also encourages a broader adoption of secure practices across web services.

2 2025 5 a Act adoption AI and anti API API keys APIs art as Auto being by C challenges CIA CleaR cleartext traffic client clients Cloud Cloudflare co credential credentials cross Current Customer D data data exposure de disruption domain domains e effective encrypted data encryption event exp feature for g H high Highlight HR http HTTPS in information intent inter J k Key keys l led legacy systems Li low malicious actors man Mila mini mission mitigation mitigation techniques Mode Modern modern security N no o of on only opt out point post potential pre proactive protection R rag RCE red Risk risks Ro Root RoT s sec secure secure practices security security measure security measures security posture security practices self sensitive data sensitive information server service service disruption service disruptions services Sig Sim SoC source SSE SSO standards system systems T tech techniques text the to token tokens Tor TP traffic unencrypted connections up US use user Users V vents vulnerabilities web web services Wi x