Finding clear text http requests


I did not find a way to see requests or events that access my sites using plain text http (not httpS), so I can find any sources that refer to me in an unsecure way.

Is there a way to do achieve this?


For starters, verify your encryption mode. Are you on Full Strict?

Sure, plus full HSTS

In that case I’d first check out and While this won’t give you the exact URLs, you should at least have an overview of how many HTTP requests you get.

Generally, if you use Always Use HTTPS, no HTTP requests should go to your server, as they should be redirected on the proxies already.

Otherwise, your server logs should also provide more insight. Cloudflare does not provide such logs, unless you are using Enterprise.

1 Like

Thanks, I know all of this.

I don’t see why only Enterprise plan customers should see this data.
Giving me only the high level numbers of plain http request doesn’t help me to better understand why this is happening so I can act towards eliminating this situation.
I hope CF will add this ability to at least the base paying plan.

If you want to have more insight you may want to disable the redirect on Cloudflare and let all requests be forwarded to your server. You can then analyse the requests straight from your logs. Of course, cached responses would be a different story, but if you just want to analyse this for a few days you could even disable caching.

Man… thanks for your persistence with ideas to help me to bypass the limitations of CF’s reality, but I I do pay to CF and wish for it to solve as much as possible issues on the edge, so I can leave my backend server alone.

If you want to access Cloudflare logs, you need an Enterprise plan, otherwise you are limited to mentioned pages in the dashboard.

You could roll out your own Worker based tracking, but that would custom JavaScript code. There is a third-party Cloudflare application for that as well, but that’s paid too.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.