End-to-end HTTPS with Cloudflare - Part 1: conceptual overview

Learn to configure end-to-end HTTPS encryption for website traffic protected by Cloudflare.


Standard HTTP sends unencrypted data over the Internet making it easy to intercept. In contrast, Hypertext Transfer Protocol Secure (HTTPS) encryption prevents wiretapping, stolen credit card numbers, and other interceptions. HTTPS secures Internet traffic through encryption. HTTPS is a combination of the standard HTTP protocol and a security protocol called SSL/TLS.

Cloudflare recommends end-to-end encryption of traffic between site visitors and the Cloudflare network and between Cloudflare’s network and your origin web server. The arrows in the following diagram demonstrate these two areas requiring encryption:


There are two steps for ensuring end-to-end encryption of traffic proxied through Cloudflare:

  1. Step 1 - choose a Cloudflare SSL certificate to encrypt visitor traffic to your Cloudflare domain.
  2. Step 2 - configure an SSL certificate at your origin web server and select the appropriate Cloudflare SSL option in the Cloudflare SSL/TLS app.

Step 1 - Choose a Cloudflare SSL certificate


Cloudflare provides several SSL certificate products for encrypting visitor traffic to your Cloudflare domain. The Cloudflare Universal SSL certificate is the default certificate automatically supplied when a domain becomes active on Cloudflare. No further certificate is required for encrypting visitor traffic to Cloudflare. Refer to our guide on understanding Cloudflare SSL certificates to compare the benefits.

Step 2 - Configure an SSL certificate at your origin web server


Follow the steps below to encrypt traffic between Cloudflare and your origin web server:

1. Configure your origin web server with an SSL certificate:

  • (Recommended) Origin CA certificates from Cloudflare, or
  • valid SSL certificate from a Certificate Authority, or
  • self-signed certificates
The SSL certificate used at your origin web server dictates the appropriate Cloudflare SSL option.

2. Choose the recommended SSL options for your domain per the scenarios below:

If your origin web server…

The SSL options in the Cloudflare SSL/TLS app determine whether Cloudflare connects to your origin server over HTTPS or HTTP.

Related resources



Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk