The modes listed below control the scheme (
https://) that Cloudflare uses to connect to your origin, and how SSL certificates presented by your origin will be validated.
Connections to your origin will be made using plaintext
http:// regardless of what was requested by the visitor. This option is not recommended, especially if you have any sensitive information on your website.
Choose this mode as a last resort if your origin does not support SSL/TLS If your origin supports SSL/TLS but does not provide a certificate that is valid for your hostname, chose Full mode instead.
Connections to the origin will be made using the scheme requested by the visitor, i.e., if
http:// was used then Cloudflare will connect to the origin using plaintext HTTP or if
https:// was used the connection will be made using SSL/TLS.
The certificate presented by the origin will not be validated in any way. It can be expired, self-signed, or not even have a matching CN/SAN entry for the hostname requested. You should only use this method if you do not have the ability to use a valid, publicly trusted certificate on your origin.
Connections to the origin will be made using the scheme requested by the visitor.
The certificate presented by the origin must meet the following criteria:
- Unexpired, i.e., the certificate notBeforeDate < now() < notAfterDate
- Issued by a or
- Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname
Strict (SSL-Only Origin Pull)
This method is only available for Enterprise zones.
Connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.
The certificate presented by the origin will be validated the same as with Strict mode.
Not recommended. Disables HTTPS for your website. Any visitor attempting to connect via HTTPS will receive a HTTP 301 redirect to plaintext HTTP.