Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)

SSL/TLS settings

  2 min read

Once you make sure that your Cloudflare SSL/TLS is working correctly, you will likely want to customize your SSL/TLS setup.


​​ Encryption mode

Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.


​​ Basic setup

The simplest way to choose your encryption mode is to enable the SSL/TLS Recommender, which scans your domain and recommends the appropriate setting.

To make sure you do not inadvertently block the SSL/TLS Recommender, review your settings to make sure your domain:

  • Is accessible.
  • Is not blocking requests from our bot (which uses a user agent of Cloudflare-SSLDetector).
  • Does not have any active, SSL-specific Page Rules or Configuration rules.

Then, you can enable SSL/TLS recommendations in the dashboard:

  1. Log in to the Cloudflare dashboard and select your account and application.
  2. Go to SSL/TLS.
  3. For SSL/TLS Recommender, switch the toggle to On.

Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent Cloudflare-SSLDetector and ignores your robots.txt file (except for rules explicitly targeting the user agent).

Based on this initial scan, the Recommender may decide that you could use a stronger SSL encryption mode. It will never recommend a weaker option than what is currently configured.

If so, it will send the application owner an email with the recommended option and add a Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required to use this recommendation.

If you do not receive an email, keep your current SSL encryption mode.

​​ Secure setup

If possible, Cloudflare recommends using Full or Full (strict) modes to prevent malicious connections to your origin.

These modes usually require additional setup and can be more technically challenging.


​​ Enforce HTTPS connections

Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections.

Using various Cloudflare settings, however, you can force all or most visitor connections to use HTTPS.


​​ Evaluate additional features

After you have chosen your encryption mode and enforced HTTPS connections, evaluate the following settings:

  • Edge certificates: Customize different aspects of your edge certificates, from enabling Opportunistic Encryption to specifying a Minimum TLS Version.
  • Authenticated origin pull: Ensure all requests to your origin server originate from the Cloudflare network.
  • Notifications: Set up alerts related to certificate validation status, issuance, deployment, renewal, and expiration.