Understand which Cloudflare SSL options encrypt HTTPS traffic between Cloudflare and the origin web server.
Overview
The SSL section of the Cloudflare SSL/TLS app contains several options that determine whether Cloudflare securely connects to your origin web server.
After reviewing the description of each SSL option, refer to our list of recommended SSL options depending on your origin web server SSL configuration:
Off disables HTTPS for your site visitors whereas Full(Strict) provides the most traffic security end-to-end.
Off
Off disables secure HTTPS connections between both visitors and Cloudflare and between Cloudflare and your origin web server. Visitors can only view your website over HTTP. Any connections attempted via HTTPS result in a HTTP 301 redirect to unencrypted HTTP.
Flexible
The Flexible SSL option allows a secure HTTPS connection between your visitor and Cloudflare, but forces Cloudflare to connect to your origin web server over unencrypted HTTP. An SSL certificate is not required on your origin web server and your visitors will still see the site as being HTTPS enabled.
Full
Full ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your web server.
To avoid 525 errors, before enabling Full SSL option, configure your origin web server to allow HTTPS connections on port 443 and present either a self-signed SSL certificate, a Cloudflare Origin CA certificate, or a valid certificate purchased from a Certificate Authority.
Full (strict)
Full (strict) ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your origin web server. Full (strict) support SSL hostname validation against CNAME targets.
Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).
Strict (SSL-Only Origin Pull)
Strict (SSL-Only Origin Pull) instructs Cloudflare's network to always connect to your origin web server using SSL/TLS encryption (HTTPS). The SSL certificate presented by the origin web server must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).
SSL/TLS Recommender
Check if your domain could upgrade to a more secure SSL option by enabling SSL/TLS Recommender.
Recommender does the following to maximize security while preserving content:
- Checks for content differences in your site when served over HTTP and HTTPS
- Looks for a valid SSL certificate
- Crawls recursively over encrypted and unencrypted connections
When enabled, SSL/TLS Recommender sends the zone owner an email with an SSL option recommendation (if one is available). A Recommended by Cloudflare tag displays next to the recommended option on the SSL/TLS page. If you do not receive an email, keep your current option. You are not required to use the recommendation. Recommender runs periodically and sends notifications if new recommendations become available. Recommender will never recommend a weaker SSL option than what is currently configured.
SSL/TLS Recommender is not intended to resolve issues with website or domain functionality. Recommender is not compatible with all other Cloudflare features and will not be able to complete its scan and show the Recommended by Cloudflare tag if:
- Your domain is not functional
- You enable Cloudflare Workers for your website
- You block all bots
- You have any active, SSL-specific Page Rules
Related resources
Learn
- End-to-end HTTPS with Cloudflare - Part 1: conceptual overview
- End-to-end HTTPS with Cloudflare - Part 2: SSL certificates