Cloudflare Docs
Visit Cloudflare for SaaS on GitHub
Set theme to dark (⇧+D)

TLS Settings — Cloudflare for SaaS

Mutual TLS (mTLS) adds an extra layer of protection to application connections by validating certificates on the server and the client. When building a SaaS application, you may want to enforce mTLS to protect sensitive endpoints related to payment processing, database updates, and more.

Minimum TLS Version allows you to choose a cryptographic standard per custom hostname. Cloudflare recommends TLS 1.2 to comply with the Payment Card Industry (PCI) Security Standards Council.

Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake. As a SaaS provider, you can specify configurations for cipher suites on your zone as a whole and cipher suites on individual custom hostnames via the API.

​​ Enable mTLS

Once you have added a custom hostname, you can enable mTLS by using Cloudflare Access. Go to the Cloudflare Zero Trust dashboard and add mTLS authentication with a few clicks.

​​ Enable Minimum TLS Version

  1. Log in to the Cloudflare dashboard and navigate to your account and website.

  2. Select SSL/TLS > Custom Hostnames.

  3. Find the hostname to which you want to apply Minimum TLS Version. Select Edit.

  4. Choose the desired TLS version under Minimum TLS Version and click Save.

​​ Cipher suites

Cipher suites for zone
Cipher suites per custom hostname