Below is a clear, practical breakdown of Cloudflare’s SSL/TLS configuration options, what each mode does, when to use it, and the security implications.
How Cloudflare SSL works (context)
Cloudflare sits between visitors and your server:
Visitor → Cloudflare → Your origin server
Because of this, Cloudflare can control encryption on:
- The visitor ↔ Cloudflare connection
- The Cloudflare ↔ origin server connection
The SSL mode determines how secure each leg is.
Cloudflare SSL/TLS Modes (Overview)
| Mode | Visitor → Cloudflare | Cloudflare → Origin | Security Level |
|---|---|---|---|
| Off | HTTP | HTTP | None |
| Flexible | HTTPS | HTTP | Low |
| Full | HTTPS | HTTPS (no validation) | Medium |
| Full (Strict) | HTTPS | HTTPS (validated) | High |
1. SSL/TLS Mode: Off
What it does
- No SSL encryption at all
- Website loads over HTTP only
When to use
- Almost never
- Temporary troubleshooting only
Risks
- No encryption
- Browsers mark site as “Not Secure”
- Credentials and data are exposed
2. SSL/TLS Mode: Flexible
What it does
- HTTPS between visitor and Cloudflare
- HTTP between Cloudflare and your server
- No SSL certificate required on your server
When to use
- Your hosting does not support SSL
- You cannot install certificates on the origin
- Legacy or extremely limited hosting environments
Pros
- Very easy to enable
- No server configuration required
- Removes browser “Not Secure” warnings
Cons and risks
- Traffic between Cloudflare and your server is unencrypted
- Vulnerable to man-in-the-middle attacks at the origin
- Can cause redirect loops if your server forces HTTPS
Verdict
Use only as a last resort.
3. SSL/TLS Mode: Full
What it does
- HTTPS between visitor and Cloudflare
- HTTPS between Cloudflare and your server
- Cloudflare does not validate the origin certificate
Origin certificate requirements
- Any SSL certificate works:
- Self-signed
- Expired
- Cloudflare Origin Certificate
- Let’s Encrypt
When to use
- You have SSL on your server, but:
- It’s self-signed, or
- It’s temporarily invalid
- You want encryption without strict validation
Pros
- Encrypts the entire connection
- Easy upgrade from Flexible
- Better security than Flexible
Cons
- Cloudflare does not verify certificate authenticity
- Still vulnerable if the origin certificate is compromised
Verdict
Acceptable short-term solution, but not ideal long-term.
4. SSL/TLS Mode: Full (Strict)
What it does
- HTTPS between visitor and Cloudflare
- HTTPS between Cloudflare and origin
- Cloudflare verifies the origin certificate
Origin certificate requirements
One of the following:
- Valid public certificate (Let’s Encrypt, ZeroSSL, etc.)
- Cloudflare Origin Certificate (recommended)
When to use
- Production websites
- Any site handling user data
- Security-conscious setups
Pros
- End-to-end encryption
- Protection against MITM attacks
- Highest security level
- Fully trusted by browsers and Cloudflare
Cons
- Requires a valid certificate on the server
- Slightly more setup than Flexible
Verdict
Recommended and best practice.
Cloudflare Origin Certificates (Important)
Cloudflare allows you to generate free Origin Certificates:
- Installed only on your server
- Trusted only by Cloudflare
- Valid for up to 15 years
- Perfect for Full (Strict) mode
This avoids renewal issues common with Let’s Encrypt on some hosts.
Related SSL/TLS Settings in Cloudflare
1. Always Use HTTPS
- Redirects HTTP → HTTPS automatically
- Should be enabled for most sites
2. Automatic HTTPS Rewrites
- Fixes mixed content by rewriting HTTP links to HTTPS
- Useful for older sites
3. HSTS (HTTP Strict Transport Security)
- Forces browsers to use HTTPS only
- Should be enabled only after confirming HTTPS works perfectly
4. Minimum TLS Version
- Recommended: TLS 1.2 or higher
- Improves security, may drop very old browsers
Recommended Configuration (Most Sites)
SSL/TLS Mode: Full (Strict)
Origin Certificate: Cloudflare Origin Certificate or Let’s Encrypt
Always Use HTTPS: Enabled
Automatic HTTPS Rewrites: Enabled
HSTS: Enabled after testing
Common Mistakes to Avoid
Turning off Cloudflare proxy (orange cloud) without an origin certificate
Using Flexible SSL while forcing HTTPS on the server
Leaving SSL mode on Full with an expired origin certificate
Enabling HSTS before HTTPS is fully working