Authenticated origin pull
Authenticated origin pulls help ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of Full or Full (strict) encryption modes.
This authentication becomes particularly important with the Cloudflare Web Application Firewall (WAF). Together with the WAF, you can make sure that all traffic is evaluated before receiving a response from your origin server.
If you want your domain to be FIPS compliant, you must upload your own certificate (which is an option for both zone-level and per-hostname authenticated origin pulls).
Authenticated Origin Pull is incompatible with Railgun.
Authenticated Origin Pull also does not work when your SSL/TLS encryption mode is set to Off or Flexible.