“A better approach is to refuse the underlying cleartext connection by closing the network ports used for plaintext HTTP, and that’s exactly what we’re going to do for our customers,” stated Cloudflare in their announcement blog post. Security experts have long advocated for closing HTTP ports entirely, but the approach has been challenging to implement at scale due to legacy clients and the technical complexities of managing millions of connections. While most modern browsers warn users about insecure connections, about 2-3% of “likely human” connections to Cloudflare’s network still use HTTP, with the percentage rising to over 16% for automated traffic. While HTTP Strict Transport Security (HSTS) partially mitigates this issue for web browsers, it doesn’t help with stateless API clients that don’t remember previous connection settings. “We expect to make this free security feature available in the last quarter of 2025,” Cloudflare confirmed. While this change currently applies only to api.cloudflare.com, Cloudflare plans to make this security feature available to all customers in the last quarter of 2025. Even with features like “Always Use HTTPS” enabled, the initial HTTP request contains sensitive information in plaintext before any redirection can occur. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Mar 2025 09:11:02 +0000