The modes listed below control the scheme (
https://) that Cloudflare uses to connect to your origin web server and how SSL certificates presented by your origin will be validated.
Update your encryption mode
To change your encryption mode:
- Log in to the and select your account and application.
- Navigate to SSL/TLS.
- Choose a new encryption mode.
Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.
Cloudflare does not recommend setting your encryption mode to Off.
There is no required set up for this option.
When you set your encryption mode to Off, your application:
- Leaves your visitors and your application .
- Will be marked as “not secure” by Chrome and other browsers, reducing visitor trust.
- Will be penalized in .
Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.
Choose this option when you cannot set up an SSL certificate on your origin or your origin does not support SSL/TLS.
When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses
http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
Choose Full mode when your origin can support an SSL certification, but — for various reasons — it cannot support a valid, publicly trusted certificate.
Before enabling Full mode, make sure your origin allows HTTPS connections on port 443 and presents a certificate (self-signed, , or purchased from a Certificate Authority). Otherwise, your visitors may experience a .
The certificate presented by the origin will not be validated in any way. It can be expired, self-signed, or not even have a matching CN/SAN entry for the hostname requested.
Your origin needs to be able to support an SSL certificate that is:
- Unexpired, meaning the certificate notBeforeDate < now() < notAfterDate.
- Issued by a or .
- Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.
Strict (SSL-Only Origin Pull)
This method is only available for Enterprise zones.
Connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.