Strict (SSL-Only Origin Pull)

Note

This method is only available for Enterprise zones.

When you set your encryption mode to Strict (SSL-Only Origin Pull), connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.

The certificate presented by the origin will be validated the same as with Full (strict) mode.

flowchart LR
    accTitle: Strict (SSL-Only Origin Pull) SSL/TLS Encryption
    accDescr: With an encryption mode of Strict (SSL-Only Origin Pull), all connections to the origin will always be made using SSL/TLS.
    A[Browser] <--Encrypted--> B((Cloudflare))<--Encrypted--> C[("Origin server (verified) #9989;")]

Use when

You want the most secure configuration available for your origin, you are an Enterprise customer, and you meet the requirements for Full (strict) mode.

Required setup

The setup is generally the same as Full (strict) mode, but you select Strict (SSL-Only Origin Pull) for your encryption mode.

Note

In addition to Strict (SSL-Only Origin Pull) encryption, you can also set up Authenticated Origin Pulls to ensure all requests to your origin are evaluated before receiving a response.

Process

Dashboard

To change your encryption mode in the dashboard:

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.
2. Go to SSL/TLS.
3. Choose an encryption mode.

API

To adjust your encryption mode with the API, send a PATCH request with ssl as the setting name in the URI path, and the value parameter set to your desired setting (off, flexible, full, strict, or origin_pull).

Limitations

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.