Skip to content

Encryption modes

Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.

flowchart LR
    accTitle: SSL/TLS Encryption mode
    A[Browser] <--Connection 1--> B((Cloudflare))<--Connection 2--> C[(Origin server)]

If possible, Cloudflare strongly recommends using Full or Full (strict) modes to prevent malicious connections to your origin.

For more details on how encryption modes fit into the bigger picture of Cloudflare SSL/TLS protection, refer to Concepts.

Available encryption modes

Automatic SSL/TLS uses the SSL/TLS Recommender to make the determination as to what encryption mode is the most secure and safest for a website to be set to. If there is a more secure option for your website (based on your origin certification or capabilities), Automatic SSL/TLS will find it and apply it for your domain. The other option, Custom SSL/TLS, will work exactly like the setting the encryption mode does today.

To understand how the various encryption modes affect your cache, refer to the section on Impact of SSL setting on cache behavior.

Automatic SSL/TLS (default)

Automatic SSL/TLS uses the SSL/TLS Recommender to identify and apply the most secure encryption mode for your website. It continuously assesses your traffic to determine if a more secure option is needed based on your origin certification or capabilities, and updates your settings automatically to ensure the highest level of security for your domain.

Cloudflare is enabling Automatic SSL/TLS on the following dates:

PlanUsing SSL/TLS recommender?Grace period ends
Non-EnterpriseYesSeptember 9th, 2024
EnterpriseYesOctober 7th, 2024
All plansNoOctober 21st, 2024

Opt out single zone

If you want to opt a zone out via the API, you can make this API call on or before the grace period expiration date.

Terminal window
curl --request PATCH \
--url https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/settings/ssl_automatic_mode \
--header 'Authorization: Bearer <CF_API_TOKEN>' \
--header 'Content-Type: application/json' \
--data '{"value":"custom"}'

Opt out multiple zones

If you wanted to opt out multiple zones:

  1. Create an API token with the following permissions:

    • Zone - Zone - Read
    • Zone - Zone Settings - Read
    • Zone - Zone Settings - Edit
  2. Make a GET request to get a list of zones (you can filter this list by account.id).

    Terminal window
    curl 'https://api.cloudflare.com/client/v4/zones?account.id=<ACCOUNT_ID>' \
    --header 'Authorization: Bearer <CF_API_TOKEN>' \
    --header 'Content-Type: application/json'
  3. Create a list of zone IDs you want to opt-out with each zone ID on a separate line (newline separate), stored in a file such as zones.txt.

  4. Create a bash script for opt-out-multiple-zones.sh and add the following. Add zones.txt to the same directory or update the path accordingly.

    opt-out-multiple-zones.sh
    for zoneID in $(cat zone.txt); do
    printf "Opting out ${zoneID}:\n"
    curl --request PATCH \
    --url https://api.cloudflare.com/client/v4/zones/$zoneID/settings/ssl_automatic_mode \
    --header 'Authorization: Bearer <CF_API_TOKEN>' \
    --header 'Content-Type: application/json' \
    --data '{"value":"custom"}'
    printf "\n\n"
    done
  5. Open your command line and run:

    Terminal window
    bash opt-out-multiple-zones.sh

Custom SSL/TLS

To use Custom SSL/TLS, select the custom option (if you prefer to manually set the encryption mode instead of using Automatic SSL/TLS):

  • Off (no encryption): No encryption is used for traffic between browsers and Cloudflare or between Cloudflare and origins. Everything is cleartext HTTP.
  • Flexible: Traffic from browsers to Cloudflare can be encrypted via HTTPS, but traffic from Cloudflare to the origin server is not. This mode is common for origins that do not support TLS, though upgrading the origin configuration is recommended whenever possible.
  • Full: Cloudflare matches the browser request protocol when connecting to the origin. If the browser uses HTTP, Cloudflare connects to the origin via HTTP; if HTTPS, Cloudflare uses HTTPS without validating the origin’s certificate. This mode is common for origins that use self-signed or otherwise invalid certificates.
  • Full (strict): Similar to Full Mode, but with added validation of the origin server’s certificate, which can be issued by a public CA like Let’s Encrypt or by Cloudflare Origin CA.
  • Strict (SSL-Only Origin Pull): Regardless of whether the browser-to-Cloudflare connection uses HTTP or HTTPS, Cloudflare always connects to the origin over HTTPS with certificate validation.

Update your encryption mode

To change your encryption mode in the dashboard:

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Go to SSL/TLS.
  3. Choose an encryption mode.