Skip to content
SSL
Visit SSL on GitHub
Set theme to dark (⇧+D)

Encryption modes

The modes listed below control the scheme (http:// or https://) that Cloudflare uses to connect to your origin web server, and how SSL certificates presented by your origin will be validated.


Off

Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.

Use when

Cloudflare does not recommend setting your encryption mode to Off.

Required setup

There is no required set up for this option.

Limitations

When you set your encryption mode to Off, your application:

SSL Encryption set to off


Flexible

Setting your encryption mode to Flexible makes your site partially secure. Cloudflare enforces HTTPS between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.

Use when

Choose this option when you cannot set up an SSL certificate on your origin or your origin does not support SSL/TLS.

Required setup

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.

Limitations

If your application contains sensitive information (personalized data, user login), use Full or Full (Strict) modes instead.

SSL Encryption set to Flexible


Full

When you set your encryption mode to Full, Cloudflare enforces HTTPS between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.

Use when

Choose Full mode when your origin can support an SSL certification, but — for various reasons — it cannot support a valid, publicly trusted certificate.

Required setup

Before enabling Full mode, make sure your origin allows HTTPS connections on port 443 and presents a certificate (self-signed, Cloudflare Origin CA, or purchased from a Certificate Authority). Otherwise, your visitors may experience a 525 error.

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.

Limitations

The certificate presented by the origin will not be validated in any way. It can be expired, self-signed, or not even have a matching CN/SAN entry for the hostname requested.

Without using Full (strict), a malicious party could technically hijack the connection and present their own certificate.

SSL Encryption set to Full


Full (strict)

When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.

Use when

For the best security, choose Full (strict) mode whenever possible (unless your are an Enterprise customer).

Your origin needs to be able to support an SSL certificate that is:

Required setup

Before enabling Full (strict) mode, make sure your origin allows HTTPS connections on port 443 and presents a certificate matching the requirements above. Otherwise, your visitors may experience a 526 error.

Limitations

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.

SSL Encryption set to Full (strict)


Strict (SSL-Only Origin Pull)

This method is only available for Enterprise zones.

Connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.

The certificate presented by the origin will be validated the same as with Full (strict) mode.

Use when

You want the most secure configuration available for your origin, you are an Enterprise customer, and you meet the requirements for Full (strict) mode.

Required setup

The setup is the same as Full (strict) mode, but you select Strict (SSL-Only Origin Pull) for your encryption mode.

Limitations

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.