Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.
Available encryption modes
- : Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.
- : Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.
- : When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses
http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
- : When you set your encryption mode to Full (strict), Cloudflare does everything in but also enforces more stringent requirements for origin certificates.
- : When you set your encryption mode to Strict (SSL-Only Origin Pull), connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.