2 min read
Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.
The simplest way to choose your encryption mode is to enable the SSL/TLS Recommender, which scans your domain and recommends the appropriate setting.
To make sure you do not inadvertently block the SSL/TLS Recommender, review your settings to make sure your domain:
- Is accessible.
- Is not blocking requests from our bot (which uses a user agent of
- Does not have any active, SSL-specific or .
Then, you can enable SSL/TLS recommendations in the dashboard:
- Log in to the and select your account and application.
- Go to SSL/TLS.
- For SSL/TLS Recommender, switch the toggle to On.
Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent
Cloudflare-SSLDetector and ignores your
robots.txt file (except for rules explicitly targeting the user agent).
If so, it will send the application owner an email with the recommended option and add a Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required to use this recommendation.
If you do not receive an email, keep your current SSL encryption mode.
These modes usually require additional setup and can be more technically challenging.
Enforce HTTPS connections
Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections.
Evaluate additional features
After you have chosen your encryption mode and enforced HTTPS connections, evaluate the following settings:
- : Customize different aspects of your edge certificates, from enabling Opportunistic Encryption to specifying a Minimum TLS Version.
- : Ensure all requests to your origin server originate from the Cloudflare network.
- : Set up alerts related to certificate validation status, issuance, deployment, renewal, and expiration.