Require specific HTTP ports

By default, Cloudflare allows requests on a number of different HTTP ports.

You can target requests based on their HTTP port with the cf.edge.server_port field. Use the in comparison operator to target a set of ports.

This example blocks requests to www.example.com that are not on ports 80 or 443:

• Expression: (http.host eq "www.example.com" and not cf.edge.server_port in {80 443})
• Action: Block

Open server ports and blocked traffic

Due to the nature of Cloudflare's anycast network, ports other than 80 and 443 will be open so that Cloudflare can serve traffic for other customers on these ports. In general, Cloudflare makes available several different products on Cloudflare IPs ↗, so you can expect tools like Netcat and security scanners to report these non-standard ports as open in specific conditions. If you have questions on security compliance, review Cloudflare's certifications and compliance resources ↗ and contact your Cloudflare enterprise account manager for more information.

Custom rules and WAF Managed Rules can block traffic at the application layer (layer 7 in the OSI model ↗), preventing HTTP/HTTPS requests over non-standard ports from reaching the origin server.