Encryption modes

Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.

flowchart LR
    accTitle: SSL/TLS Encryption mode
    A[Browser] <--Connection 1--> B((Cloudflare))<--Connection 2--> C[(Origin server)]

If possible, Cloudflare strongly recommends using Full or Full (strict) modes to prevent malicious connections to your origin.

For more details on how encryption modes fit into the bigger picture of Cloudflare SSL/TLS protection, refer to Concepts.

Available encryption modes

Automatic SSL/TLS uses the SSL/TLS Recommender to make the determination as to what encryption mode is the most secure and safest for a website to be set to. If there is a more secure option for your website (based on your origin certification or capabilities), Automatic SSL/TLS will find it and apply it for your domain. The other option, Custom SSL/TLS, will work exactly like the setting the encryption mode does today.

Note

We are gradually rolling out the new Automated SSL/TLS feature.

If your zone has not been migrated yet, you will only have Custom SSL/TLS options in your dashboard.

To understand how the various encryption modes affect your cache, refer to the section on Impact of SSL setting on cache behavior.

Automatic SSL/TLS (default)

Automatic SSL/TLS uses the SSL/TLS Recommender to identify and apply the most secure encryption mode for your website. It continuously assesses your traffic to determine if a more secure option is needed based on your origin certification or capabilities, and updates your settings automatically to ensure the highest level of security for your domain.

Note

Automatic SSL/TLS will not change your setting to a less secure encryption mode. For example, if your origin certificate expires, the encryption mode will not change from Full (strict) to Full. You must ensure the validity of your origin SSL configuration at all times.

Cloudflare is enabling Automatic SSL/TLS on the following dates:

Plan	Using SSL/TLS recommender?	Grace period ends
Non-Enterprise	Yes	September 9th, 2024
Enterprise	Yes	October 7th, 2024
All plans	No	October 21st, 2024

Opt out single zone

If you want to opt a zone out via the API, you can make this API call on or before the grace period expiration date.

 curl --request PATCH \
  --url https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/settings/ssl_automatic_mode \
  --header 'Authorization: Bearer <CF_API_TOKEN>' \
  --header 'Content-Type: application/json' \
  --data '{"value":"custom"}'

Opt out multiple zones

If you wanted to opt out multiple zones:

1. Create an API token with the following permissions:

   • Zone - Zone - Read
   • Zone - Zone Settings - Read
   • Zone - Zone Settings - Edit

2. Make a GET request to get a list of zones (you can filter this list by account.id).

   curl 'https://api.cloudflare.com/client/v4/zones?account.id=<ACCOUNT_ID>' \
   --header 'Authorization: Bearer <CF_API_TOKEN>' \
   --header 'Content-Type: application/json'

3. Create a list of zone IDs you want to opt-out with each zone ID on a separate line (newline separate), stored in a file such as zones.txt.

4. Create a bash script for opt-out-multiple-zones.sh and add the following. Add zones.txt to the same directory or update the path accordingly.

   opt-out-multiple-zones.sh

   for zoneID in $(cat zone.txt); do
     printf "Opting out ${zoneID}:\n"
   
     curl --request PATCH \
       --url https://api.cloudflare.com/client/v4/zones/$zoneID/settings/ssl_automatic_mode \
       --header 'Authorization: Bearer <CF_API_TOKEN>' \
       --header 'Content-Type: application/json' \
       --data '{"value":"custom"}'
   
     printf "\n\n"
   done

5. Open your command line and run:

   bash opt-out-multiple-zones.sh

Custom SSL/TLS

To use Custom SSL/TLS, select the custom option (if you prefer to manually set the encryption mode instead of using Automatic SSL/TLS):

• Off (no encryption) : No encryption is used for traffic between browsers and Cloudflare or between Cloudflare and origins. Everything is cleartext HTTP.
• Flexible : Traffic from browsers to Cloudflare can be encrypted via HTTPS, but traffic from Cloudflare to the origin server is not. This mode is common for origins that do not support TLS, though upgrading the origin configuration is recommended whenever possible.
• Full : Cloudflare matches the browser request protocol when connecting to the origin. If the browser uses HTTP, Cloudflare connects to the origin via HTTP; if HTTPS, Cloudflare uses HTTPS without validating the origin’s certificate. This mode is common for origins that use self-signed or otherwise invalid certificates.
• Full (strict) : Similar to Full Mode, but with added validation of the origin server’s certificate, which can be issued by a public CA like Let’s Encrypt or by Cloudflare Origin CA.
• Strict (SSL-Only Origin Pull) : Regardless of whether the browser-to-Cloudflare connection uses HTTP or HTTPS, Cloudflare always connects to the origin over HTTPS with certificate validation.

Update your encryption mode

Dashboard

To change your encryption mode in the dashboard:

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.
2. Go to SSL/TLS.
3. Choose an encryption mode.

API

To adjust your encryption mode with the API, send a PATCH request with ssl as the setting name in the URI path, and the value parameter set to your desired setting (off, flexible, full, strict, or origin_pull).

Note

To use this feature on specific hostnames - instead of across your entire zone - use a configuration rule.