Learn to configure end-to-end HTTPS encryption for website traffic protected by Cloudflare.
Overview
Standard HTTP sends unencrypted data over the Internet making it easy to intercept. In contrast, Hypertext Transfer Protocol Secure (HTTPS) encryption prevents wiretapping, stolen credit card numbers, and other interceptions. HTTPS secures Internet traffic through encryption. HTTPS is a combination of the standard HTTP protocol and a security protocol called SSL/TLS.
Cloudflare recommends end-to-end encryption of traffic between site visitors and the Cloudflare network and between Cloudflare’s network and your origin web server. The arrows in the following diagram demonstrate these two areas requiring encryption:

There are two steps for ensuring end-to-end encryption of traffic proxied through Cloudflare:
- Step 1 - choose a Cloudflare SSL certificate to encrypt visitor traffic to your Cloudflare domain.
- Step 2 - configure an SSL certificate at your origin web server and select the appropriate Cloudflare SSL option in the Cloudflare SSL/TLS app.
Step 1 - Choose a Cloudflare SSL certificate

Cloudflare provides several SSL certificate products for encrypting visitor traffic to your Cloudflare domain. The Cloudflare Universal SSL certificate is the default certificate automatically supplied when a domain becomes active on Cloudflare. No further certificate is required for encrypting visitor traffic to Cloudflare. Refer to our guide on understanding Cloudflare SSL certificates to compare the benefits.
Step 2 - Configure an SSL certificate at your origin web server

Follow the steps below to encrypt traffic between Cloudflare and your origin web server:
1. Configure your origin web server with an SSL certificate:
- (Recommended) Origin CA certificates from Cloudflare, or
- valid SSL certificate from a Certificate Authority, or
- self-signed certificates
2. Choose the recommended SSL options for your domain per the scenarios below:
If your origin web server…
- has either a valid certificate from a Certificate Authority or an Origin CA certificate from Cloudflare, use either the Full or Full (strict) SSL option
- has self-signed SSL certificates, use the Full SSL option
- lacks any installed SSL certificate, utilize the Flexible SSL option
The SSL options in the Cloudflare SSL/TLS app determine whether Cloudflare connects to your origin server over HTTPS or HTTP.
Related resources
Learn
- End-to-end HTTPS with Cloudflare - Part 2: SSL certificates
- End-to-end HTTPS with Cloudflare - Part 3: SSL options
Troubleshoot