Cloudflare, the web infrastructure and security giant, has announced a decisive step in its ongoing mission to make the internet more secure: all unencrypted traffic to its API endpoints is now blocked by default. This change, which went into effect in early 2025, marks a significant move toward a fully encrypted internet and is expected to impact developers, enterprises, and API consumers across the globe.
Why It Matters: The Growing Threat of Insecure API Traffic
APIs are the backbone of modern internet services, facilitating communication between web applications, mobile apps, and cloud-based systems. As their use has skyrocketed, so too has the risk of cyberattacks targeting these endpoints. Unencrypted API traffic — i.e., HTTP rather than HTTPS — exposes sensitive data to interception, manipulation, and man-in-the-middle (MitM) attacks.
Despite this, a surprising number of APIs still allow or even default to accepting unencrypted connections. Cloudflare’s decision to enforce encryption by default is a direct response to this risk. By mandating HTTPS-only traffic, Cloudflare is effectively eliminating one of the most common attack surfaces in API security.
The Technical Details: What’s Changing
Prior to this change, Cloudflare allowed developers to configure their own SSL/TLS policies when exposing API endpoints. While HTTPS was strongly recommended, it was still possible to allow connections over unencrypted HTTP for backward compatibility or internal testing environments.
Now, any request made to a Cloudflare-protected API endpoint over HTTP (port 80) will be automatically blocked. This applies universally across all API traffic routed through Cloudflare’s global network — including REST, GraphQL, and WebSocket endpoints.
In addition to blocking HTTP, Cloudflare is also applying strict TLS enforcement policies, requiring that all connections meet minimum security standards, such as TLS 1.2 or higher, with recommended configurations pointing to TLS 1.3.
Cloudflare has clarified that this change does not affect traditional websites or static content unless they are served via API-style endpoints. Developers can still choose to redirect HTTP to HTTPS on their websites if needed, but API endpoints will be strictly HTTPS-only.
The Industry Context: A Step Ahead
Cloudflare has long positioned itself as a leader in internet security and performance. This latest move aligns with broader industry trends pushing for an encrypted-by-default web. Major browsers like Chrome, Firefox, and Safari already label HTTP sites as “Not Secure,” and search engines prioritize HTTPS-enabled sites in rankings.
However, Cloudflare’s decision to enforce HTTPS on API traffic takes things a step further — from encouraging encryption to enforcing it. Few major infrastructure providers have gone this far, particularly in the API space, where backward compatibility has often been used to justify continued HTTP support.
By taking a firm stance, Cloudflare is sending a message to the industry: encryption is no longer optional.
Impact on Developers and Businesses
While this change is a net positive for security, it does require action from developers and organizations still relying on HTTP-based integrations.
Cloudflare has provided a transition guide for affected customers, which includes steps for identifying unencrypted traffic, updating endpoints, and ensuring all clients are configured to use HTTPS. Developers using outdated libraries or SDKs may need to update their tools to support modern TLS standards.
For businesses with internal APIs that were exposed over HTTP — even if only for testing or debugging — the change may cause service disruptions unless mitigated in advance. However, Cloudflare offers several mitigation strategies, including temporary exceptions for enterprise customers (under strict review) and private network tunnels for internal testing.
A Security-First Future
Cloudflare’s move reflects a broader shift in how internet infrastructure is built and maintained. In an era of rampant cyber threats, security-by-design is becoming a core principle, not a luxury.
“APIs are increasingly the target of attackers, and allowing unencrypted traffic simply isn’t acceptable anymore,” said Cloudflare CTO John Graham-Cumming in a recent statement. “We’re committed to building a safer internet, and that starts with eliminating insecure defaults.”
By defaulting to secure communication channels, Cloudflare is helping prevent data leaks, authentication token theft, and other forms of interception that could lead to system compromise or reputational damage.
What’s Next
Industry observers expect other cloud and CDN providers to follow suit. As regulatory frameworks like GDPR, HIPAA, and PCI DSS continue to emphasize data protection, encrypted communication is rapidly becoming a baseline requirement.
For Cloudflare users, the key takeaway is simple: if your API still relies on HTTP, it’s time to modernize. The future of the internet is encrypted — and thanks to Cloudflare, that future is arriving sooner than expected.
