Cloudflare Enhances API Security by Closing HTTP Ports

In a move to bolster API security, Cloudflare has announced the closure of all HTTP ports on api.cloudflare.com.

This decision, set to take effect immediately, marks a crucial step in the company’s ongoing efforts to enforce HTTPS-only connections across its global network.

The Security Imperative

The primary motivation behind this change is to address a critical vulnerability in cleartext HTTP connections.

When clients make requests over unencrypted HTTP, sensitive information—such as API tokens—can be exposed to potential interception by network intermediaries before the server has a chance to redirect or reject the connection.

Cloudflare’s approach goes beyond the common practice of redirecting HTTP traffic to HTTPS or returning a 403 Forbidden response.

Instead, the company is taking a more proactive stance by refusing the underlying cleartext connection at the transport layer.

Technical Implementation

To achieve this enhanced security measure, Cloudflare has implemented the following changes:

1. Port Closure: All plaintext HTTP ports for API traffic on Cloudflare’s global network have been closed.
2. Firewall Configuration: The company extended its global iptables firewall configuration to reject inbound packets on HTTP ports: bashiptables -A INPUT -p tcp -d <IP_ADDRESS_BLOCK> --dport <HTTP_PORT> -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -d <IP_ADDRESS_BLOCK> --dport <HTTP_PORT> -j REJECT --reject-with icmp-port-unreachable This configuration ensures that connections to these IP addresses on HTTP ports are filtered and rejected at the transport layer.
3. DNS Policy Update: Cloudflare has updated its DNS assignments to route API traffic over the correct IP addresses. This was achieved using a declarative Topaz program in their authoritative DNS server: text- name: https_only exclusive: true config: | (config ([traffic_class "API"] [ipv4 (ipv4_address "192.0.2.1")] # Example IPv4 address [ipv6 (ipv6_address "2001:DB8::1:1")] # Example IPv6 address [t (ttl 300])) match: | (= query_domain_class traffic_class) response: | (response (list ipv4) (list ipv6) t) This policy ensures that DNS queries targeting the ‘API traffic’ class return the respective HTTPS-only interface IP addresses.

Impact and Future Plans

The immediate impact of this change is that any unencrypted connection to api.cloudflare.com will be completely rejected.

Developers should no longer expect a 403 Forbidden response for HTTP connections, as the underlying connection will be prevented from being established.

Looking ahead, Cloudflare plans to extend this security feature to its customers.

By the last quarter of 2025, the company expects to release the ability for customers to opt-in to safely disable all HTTP port traffic for their websites on Cloudflare.

Monitoring and Transition

Cloudflare advises customers to monitor unencrypted connections for their domains before implementing this feature.

This can be done through the Cloudflare dashboard under the “Analytics & Logs” section, which provides a breakdown of encrypted and unencrypted traffic1.

This move by Cloudflare represents a significant step forward in API security.

By closing HTTP ports and enforcing HTTPS-only connections, the company is setting a new standard for protecting sensitive data in transit.

As the internet continues to evolve, such proactive security measures will become increasingly crucial in safeguarding digital communications and transactions.

Also Read:

Caido v0.47.0 Released – New Features to Rival Burp Suite