Full (strict) - SSL/TLS encryption modes
When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
For the best security, choose Full (strict) mode whenever possible (unless you are an Enterprise customer).
Your origin needs to be able to support an SSL certificate that is:
- Unexpired, meaning the certificate presents
notBeforeDate < now() < notAfterDate.
- Issued by a publicly trusted certificate authority or Cloudflare’s Origin CA.
- Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.
Before enabling Full (strict) mode, make sure your origin:
- Allows HTTPS connections on port
- Presents a certificate matching the requirements above.
Otherwise, your visitors may experience a 526 error.
To change your encryption mode in the dashboard:
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to SSL/TLS.
- Choose an encryption mode.
To adjust your encryption mode with the API, send a
PATCHrequest with the
valueparameter set to your desired setting (
Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.