Full (strict)
When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
flowchart LR accTitle: Full - Strict SSL/TLS Encryption accDescr: With an encryption mode of Full (strict), your application encrypts traffic going to and coming from Cloudflare. A[Browser] <--Encrypted--> B((Cloudflare))<--Encrypted--> C[("Origin server (verified) #9989;")]
For the best security, choose Full (strict) mode whenever possible (unless you are an Enterprise customer).
Your origin needs to be able to support an SSL certificate that is:
- Unexpired, meaning the certificate presents
notBeforeDate < now() < notAfterDate
. - Issued by a publicly trusted certificate authority or Cloudflare’s Origin CA.
- Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.
Before enabling Full (strict) mode, make sure your origin:
- Allows HTTPS connections on port
443
. - Presents a certificate matching the requirements above.
Otherwise, your visitors may experience a 526 error.
To change your encryption mode in the dashboard:
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to SSL/TLS.
- Choose an encryption mode.
To adjust your encryption mode with the API, send a PATCH
request with ssl
as the setting name in the URI path, and the value
parameter set to your desired setting (off
, flexible
, full
, strict
).
Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.