在API.Cloudflare.com上關閉HTTP端口以執行僅HTTPS的連接

通過ClearText HTTP端口建立的連接可能會暴露敏感信息，因為數據未加密，可以被網絡中介機構攔截

Connections made over cleartext HTTP ports risk exposing sensitive information because the data is transmitted unencrypted and can be intercepted by network intermediaries, such as ISPs, Wi-Fi hotspot providers, or malicious actors on the same network. It’s common for servers to either redirect or return a 403 (Forbidden) response to close the HTTP connection and enforce the use of HTTPS by clients. However, by the time this occurs, it may be too late, because sensitive information, such as an API token, may have already been transmitted in cleartext in the initial client request. This data is exposed before the server has a chance to redirect the client or reject the connection.

通過ClearText HTTP端口建立的連接可能會暴露敏感信息，因為數據是未加密的，並且可以被網絡中介機構（例如ISP，Wi-Fi Hotspot提供商或惡意參與者）攔截。服務器通常會重定向或返回403（禁止）響應以關閉HTTP連接並強制客戶使用HTTPS。但是，到發生這種情況時，可能為時已晚，因為敏感信息（例如API令牌）可能已經在初始客戶端請求中已在clearText中傳輸。在服務器有機會重定向客戶端或拒絕連接之前，該數據已公開。

A better approach is to refuse the underlying cleartext connection by closing the network ports used for plaintext HTTP, and that’s exactly what we’re going to do for our customers.

一種更好的方法是通過關閉針對明文HTTP的網絡端口來拒絕基礎的ClearText連接，這正是我們要為客戶做的。

Today we’re announcing that we’re closing all of the HTTP ports on api.cloudflare.com. We’re also making changes so that api.cloudflare.com can change IP addresses dynamically, in line with on-going efforts to decouple names from IP addresses, and reliably managing addresses in our authoritative DNS. This will enhance the agility and flexibility of our API endpoint management. Customers relying on static IP addresses for our API endpoints will be notified in advance to prevent any potential availability issues.

今天，我們宣布我們正在關閉API.Cloudflare.com上的所有HTTP端口。我們還會進行更改，以便api.cloudflare.com可以與持續的努力從IP地址解除名稱以及可靠地管理我們權威DNS中的地址的努力，並可以動態地更改IP地址。這將增強我們API端點管理的敏捷性和靈活性。依靠我們API端點的靜態IP地址的客戶將得到事先通知，以防止任何潛在的可用性問題。

In addition to taking this first step to secure Cloudflare API traffic, we’ll release the ability for customers to opt-in to safely disabling all HTTP port traffic for their websites on Cloudflare. We expect to make this free security feature available in the last quarter of 2025.

除了採取第一步以保護CloudFlare API流量外，我們還將釋放客戶選擇加入以安全地禁用Cloudflare網站的所有HTTP端口流量的能力。我們希望這項免費的安全功能在2025年的最後一個季度提供。

We have consistently advocated for strong encryption standards to safeguard users’ data and privacy online. As part of our ongoing commitment to enhancing Internet security, this blog post details our efforts to enforce HTTPS-only connections across our global network.

我們一直在倡導強大的加密標準，以在線保護用戶的數據和隱私。作為我們對增強互聯網安全性的持續承諾的一部分，此博客詳細介紹了我們在全球網絡中執行僅HTTPS連接的努力。

Understanding the problem

了解問題

We already provide an “Always Use HTTPS” setting that can be used to redirect all visitor traffic on our customers’ domains (and subdomains) from HTTP (plaintext) to HTTPS (encrypted). For instance, when a user clicks on an HTTP version of the URL on the site (http://www.example.com), we issue an HTTP 3XX redirection status code to immediately redirect the request to the corresponding HTTPS version (https://www.example.com) of the page. While this works well for most scenarios, there’s a subtle but important risk factor: What happens if the initial plaintext HTTP request (before the redirection) contains sensitive user information?

我們已經提供了一個“始終使用HTTPS”設置，可用於將客戶域（和子域）上的所有訪問者流量重定向從HTTP（Plaintext）到HTTPS（加密）。例如，當用戶單擊網站上的http版本（http://www.example.com）時，我們會發出http 3xx重定向狀態代碼，以立即將請求重定向到相應的https版本（https://www.example.com）。儘管這在大多數情況下都可以很好地工作，但仍有一個微妙但重要的風險因素：如果初始明文HTTP請求（重定向之前）包含敏感用戶信息會發生什麼？

Initial plaintext HTTP request is exposed to the network before the server can redirect to the secure HTTPS connection.

在服務器可以重定向到安全HTTPS連接之前，初始明文HTTP請求已暴露於網絡。

Third parties or intermediaries on shared networks could intercept sensitive data from the first plaintext HTTP request, or even carry out a Monster-in-the-Middle (MITM) attack by impersonating the web server.

共享網絡上的第三方或中介可以從第一個明文HTTP請求中攔截敏感數據，甚至可以通過模仿Web服務器來攻擊中間的怪物（MITM）攻擊。

One may ask if HTTP Strict Transport Security (HSTS) would partially alleviate this concern by ensuring that, after the first request, visitors can only access the website over HTTPS without needing a redirect. While this does reduce the window of opportunity for an adversary, the first request still remains exposed. Additionally, HSTS is not applicable by default for most non-user-facing use cases, such as API traffic from stateless clients. Many API clients don’t retain browser-like state or remember HSTS headers they've encountered. It is quite common practice for API calls to be redirected from HTTP to HTTPS, and hence have their initial request exposed to the network.

可以詢問HTTP嚴格的運輸安全性（HSTS）是否會通過確保第一個請求之後，訪問者只能通過HTTP訪問網站而無需重定向，從而部分緩解這種擔憂。儘管這確實減少了對手的機會之窗，但第一個請求仍然暴露。此外，默認情況下，HST不適用於大多數非用戶用例，例如來自無狀態客戶端的API流量。許多API客戶不保留瀏覽器狀狀態，也不記得他們遇到的HSTS標題。 API調用從HTTP重定向到HTTP是很普遍的做法，因此將其初始請求暴露於網絡。

Therefore, in line with our culture of dogfooding, we evaluated the accessibility of the Cloudflare API (api.cloudflare.com) over HTTP ports (80, and others). In that regard, imagine a client making an initial request to our API endpoint that includes their secret API key. While we outright reject all plaintext connections with a 403 Forbidden response instead of redirecting for API traffic — clearly indicating that “Cloudflare API is only accessible over TLS” — this rejection still happens at the application layer. By that point, the API key may have already been exposed over the network before we can even reject the request. We do have a notification mechanism in place to alert customers and rotate their API keys accordingly, but a stronger approach would be to eliminate the exposure entirely. We have an opportunity to improve!

因此，根據我們的狗食文化，我們評估了HTTP端口（80等）上Cloudflare API（API.Cloudflare.com）的可訪問性。在這方面，請想像一個客戶向我們的API端點提出初步請求，其中包括其秘密API密鑰。雖然我們完全拒絕使用403禁止響應而不是重定向API流量的所有明文連接 - 顯然表明“ Cloudflare API僅在TLS上可以訪問”，但此拒絕仍然發生在應用程序層。到那時，在我們甚至可以拒絕請求之前，API密鑰可能已經通過網絡公開。我們確實有一個通知機制來提醒客戶並相應地旋轉其API鍵，但是更強大的方法是完全消除暴露量。我們有機會改進！

A better approach to API security

更好的API安全方法

Any API key or token exposed in plaintext on the public Internet should be considered compromised. We can either address exposure after it occurs or prevent it entirely. The reactive approach involves continuously tracking and revoking compromised credentials, requiring active management to rotate each one. For example, when a plaintext HTTP request is made to our API endpoints, we detect exposed tokens by scanning for 'Authorization' header values.

在公共互聯網上以明文暴露的任何API密鑰或令牌都應被視為妥協。我們可以在發生後解決暴露或完全防止暴露。反應性方法涉及不斷跟踪和撤銷受損的憑據，要求主動管理旋轉每個憑據。例如，當向我們的API端點提出明文HTTP請求時，我們通過掃描“授權”標頭值來檢測暴露的令牌。

In contrast, a preventive approach is stronger and more effective, stopping exposure before it happens. Instead of relying on the API service application to react after receiving potentially sensitive cleartext data, we can preemptively refuse the underlying connection at the transport layer

相反，預防方法更強大，更有效，在發生之前停止暴露。我們可以先拒絕運輸層的基礎連接，而不是依靠API服務應用程序來進行反應