About
When visitors request content from your domain, Cloudflare first attempts to serve content from the cache. If this attempt fails, Cloudflare sends a request — or an origin pull
— back to your origin web server to get the content.
Authenticated Origin Pulls makes sure that all of these origin pulls
come from Cloudflare. Put another way, Authenticated Origin Pulls ensures that any HTTPS requests outside of Cloudflare will not receive a response from your origin.
This block also applies for requests to unproxied DNS records in Cloudflare.
Cloudflare enforces authenticated origin pulls by adding an extra layer of TLS client certificate authentication when establishing a connection between Cloudflare and the origin web server.
For more details, refer to the introductory blog post.
For more details, refer to What is a TLS handshake?.
Standard TLS handshake
Client authenticated TLS handshake
Without Authenticated Origin Pulls, Cloudflare performs standard TLS handshakes between a client device and Cloudflare and Cloudflare and your origin. This is true even if you have Full or Full (strict) encryption modes enabled.
flowchart TD accTitle: Connection diagram without Authenticated Origin Pulls A[End user query for <code>example.com</code>] --Standard TLS Handshake--> B[Cloudflare network] B --Standard TLS Handshake--> C[Origin server] D[External device] --Standard TLS Handshake ----> C
This lack of authentication means that - even if your origin is protected behind Cloudflare - attackers with your origin’s IP address will still receive a response from your origin for HTTPS requests.
With Authenticated Origin Pulls, Cloudflare performs standard TLS handshakes between a client device and Cloudflare, but a client-authenticated TLS handshake between Cloudflare and your origin.
flowchart TD accTitle: Connection diagram with Authenticated Origin Pulls A[End user query for <code>example.com</code>] --Standard TLS Handshake--> B[Cloudflare network] B --Client authenticated TLS Handshake--> C[Origin server] D[External device] --Standard TLS Handshake -----x C
This additional layer of authentication ensures that any HTTPS requests outside of Cloudflare will not receive a response from your origin.