Encryption modes
Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.
flowchart LR accTitle: SSL/TLS Encryption mode A[Browser] <--Connection 1--> B((Cloudflare))<--Connection 2--> C[(Origin server)]
If possible, Cloudflare strongly recommends using Full or Full (strict) modes to prevent malicious connections to your origin.
For more details on how encryption modes fit into the bigger picture of Cloudflare SSL/TLS protection, refer to Concepts.
Automatic SSL/TLS uses the SSL/TLS Recommender to make the determination as to what encryption mode is the most secure and safest for a website to be set to. If there is a more secure option for your website (based on your origin certification or capabilities), Automatic SSL/TLS will find it and apply it for your domain. The other option, Custom SSL/TLS, will work exactly like the setting the encryption mode does today.
To understand how the various encryption modes affect your cache, refer to the section on Impact of SSL setting on cache behavior.
Automatic SSL/TLS uses the SSL/TLS Recommender to identify and apply the most secure encryption mode for your website. It continuously assesses your traffic to determine if a more secure option is needed based on your origin certification or capabilities, and updates your settings automatically to ensure the highest level of security for your domain.
Cloudflare is enabling Automatic SSL/TLS on the following dates:
Plan | Using SSL/TLS recommender? | Grace period ends |
---|---|---|
Non-Enterprise | Yes | September 9th, 2024 |
Enterprise | Yes | October 7th, 2024 |
All plans | No | October 21st, 2024 |
If you want to opt a zone out via the API, you can make this API call on or before the grace period expiration date.
If you wanted to opt out multiple zones:
-
Create an API token with the following permissions:
Zone - Zone - Read
Zone - Zone Settings - Read
Zone - Zone Settings - Edit
-
Make a
GET
request to get a list of zones (you can filter this list byaccount.id
). -
Create a list of zone IDs you want to opt-out with each zone ID on a separate line (newline separate), stored in a file such as
zones.txt
. -
Create a bash script for
opt-out-multiple-zones.sh
and add the following. Addzones.txt
to the same directory or update the path accordingly. -
Open your command line and run:
To use Custom SSL/TLS, select the custom option (if you prefer to manually set the encryption mode instead of using Automatic SSL/TLS):
- Off (no encryption): No encryption is used for traffic between browsers and Cloudflare or between Cloudflare and origins. Everything is cleartext HTTP.
- Flexible: Traffic from browsers to Cloudflare can be encrypted via HTTPS, but traffic from Cloudflare to the origin server is not. This mode is common for origins that do not support TLS, though upgrading the origin configuration is recommended whenever possible.
- Full: Cloudflare matches the browser request protocol when connecting to the origin. If the browser uses HTTP, Cloudflare connects to the origin via HTTP; if HTTPS, Cloudflare uses HTTPS without validating the origin’s certificate. This mode is common for origins that use self-signed or otherwise invalid certificates.
- Full (strict): Similar to Full Mode, but with added validation of the origin server’s certificate, which can be issued by a public CA like Let’s Encrypt or by Cloudflare Origin CA.
- Strict (SSL-Only Origin Pull): Regardless of whether the browser-to-Cloudflare connection uses HTTP or HTTPS, Cloudflare always connects to the origin over HTTPS with certificate validation.
To change your encryption mode in the dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to SSL/TLS.
- Choose an encryption mode.
To adjust your encryption mode with the API, send a PATCH
request with ssl
as the setting name in the URI path, and the value
parameter set to your desired setting (off
, flexible
, full
, strict
, or origin_pull
).