Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.
If possible, Cloudflare strongly recommends using Full or Full (strict) modes to prevent malicious connections to your origin.
For more details on how encryption modes fit into the bigger picture of Cloudflare SSL/TLS protection, refer to Concepts.
Available encryption modes
- Off (no encryption): Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.
- Flexible: Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.
- Full: When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses
http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
- Full (strict): When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
- Strict (SSL-Only Origin Pull): When you set your encryption mode to Strict (SSL-Only Origin Pull), connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.
Update your encryption mode
To change your encryption mode in the dashboard:
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to SSL/TLS.
- Choose an encryption mode.
To adjust your encryption mode with the API, send a
PATCHrequest with the
valueparameter set to your desired setting (