Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Strict (SSL-Only Origin Pull) - SSL/TLS encryption modes

Connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.

The certificate presented by the origin will be validated the same as with Full (strict) mode.

flowchart LR accTitle: Strict (SSL-Only Origin Pull) SSL/TLS Encryption accDescr: With an encryption mode of Strict (SSL-Only Origin Pull), all connections to the origin will always be made using SSL/TLS. A[Browser] <--Encrypted--> B((Cloudflare))<--Encrypted--> C[("Origin server (verified) ✅")]

​​ Use when

You want the most secure configuration available for your origin, you are an Enterprise customer, and you meet the requirements for Full (strict) mode.

​​ Required setup

The setup is the same as Full (strict) mode, but you select Strict (SSL-Only Origin Pull) for your encryption mode.

​​ Limitations

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.