Encryption modes

Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.

flowchart LR
    accTitle: SSL/TLS Encryption mode
    A[Browser] <--Connection 1--> B((Cloudflare))<--Connection 2--> C[(Origin server)]

If possible, Cloudflare strongly recommends using Full or Full (strict) modes to prevent malicious connections to your origin.

For more details on how encryption modes fit into the bigger picture of Cloudflare SSL/TLS protection, refer to Concepts.

Tip:

If you are not sure which encryption mode to use, enable the SSL/TLS Recommender.

Available encryption modes

• Off (no encryption)
• Flexible
• Full
• Full (strict)
• Strict (SSL-Only Origin Pull)

Update your encryption mode

dashboard

To change your encryption mode in the dashboard:

1. Log in to the Cloudflare dashboard and select your account and domain.
2. Go to SSL/TLS.
3. Choose an encryption mode.

api

To adjust your encryption mode with the API, send a PATCH request with ssl as the setting name in the URI path, and the value parameter set to your desired setting (off, flexible, full, strict).

Note

To use this feature on specific hostnames - instead of across your entire zone - use a configuration rule.