SSL/TLS settings
Once you make sure that your Cloudflare SSL/TLS is working correctly, you will likely want to customize your SSL/TLS setup.
Your zone's SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.
flowchart LR accTitle: SSL/TLS Encryption mode A[Browser] <--Connection 1--> B((Cloudflare))<--Connection 2--> C[(Origin server)]
The simplest way to choose your encryption mode is to enable the SSL/TLS Recommender, which scans your domain and recommends the appropriate setting.
To make sure you do not inadvertently block the SSL/TLS Recommender, review your settings to make sure your domain:
- Is accessible.
- Is not blocking requests from our bot (which uses a user agent of
Cloudflare-SSLDetector
). - Does not have any active, SSL-specific Page Rules or Configuration rules.
Then, you can enable SSL/TLS recommendations in the dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account and application.
- Go to SSL/TLS.
- For SSL/TLS Recommender, switch the toggle to On.
Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent Cloudflare-SSLDetector
and ignores your robots.txt
file (except for rules explicitly targeting the user agent).
Based on this initial scan, the Recommender may decide that you could use a stronger SSL encryption mode. It will never recommend a weaker option than what is currently configured.
If so, it will send the application owner an email with the recommended option and add a Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required to use this recommendation.
If you do not receive an email, keep your current SSL encryption mode.
If possible, Cloudflare recommends using Full or Full (strict) modes to prevent malicious connections to your origin.
These modes usually require additional setup and can be more technically challenging.
Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections.
Using various Cloudflare settings, however, you can force all or most visitor connections to use HTTPS.
After you have chosen your encryption mode and enforced HTTPS connections, evaluate the following settings:
- Edge certificates: Customize different aspects of your edge certificates, from enabling Opportunistic Encryption to specifying a Minimum TLS Version.
- Authenticated origin pull: Ensure all requests to your origin server originate from the Cloudflare network.
- Notifications: Set up alerts related to certificate validation status, issuance, deployment, renewal, and expiration.