From now on, only secure HTTPS connections are allowed for API requests.
Cloudflare has announced that it will now only accept secure HTTPS connections for API requests to api.cloudflare.com. All HTTP connections are now blocked and terminated, even before any data is transmitted. This preventive approach aims to improve the agility and reliability of Cloudflare API endpoints.
HTTP Poses a Risk
The measure is intended to prevent unencrypted API requests from being sent. In this way, Cloudflare aims to prevent sensitive information, such as an API key, from leaking through unsecured connections. API requests sent via HTTP are not encrypted and are transmitted in plain text. This allows hackers to easily intercept that data. According to Cloudflare, this is particularly problematic for customers who do not enforce HTTPS.
The IP addresses of the Cloudflare API are dynamically managed. This means they can change, but customers will receive a warning in advance of an update. Later this year, users will also have the option to disable all HTTP traffic for their own domains.
In 2024, the number of DDoS attacks rose to a record high. More than half of the attacks fell under HTTP attacks, originating from known botnets. HTTPS is better secured and immune to these types of attacks. With this, Cloudflare is taking a major step towards a better regulated and more secure internet.
read also