Skip to content

SSL/TLS Modes -- Flexible, Full, Strict Explained

DodaTech 6 min read

In this tutorial, you'll learn about SSL/TLS Modes. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare SSL/TLS encryption modes determine how traffic is encrypted between visitors and your origin server -- Flexible encrypts browser-to-Cloudflare only, Full encrypts both legs with a self-signed cert, and Strict requires a valid origin certificate. Choosing the right mode prevents mixed content warnings, secures data in transit, and avoids origin connectivity failures.

Why Encryption Modes Matter

Encryption is not a single on-off switch. Cloudflare gives you four modes (Off, Flexible, Full, Full Strict) that control where and how TLS is applied. Without understanding these modes, you might leave origin traffic unencrypted (Flexible), accept invalid certificates (Full), or break your site by enabling Strict without a valid origin cert. This decision directly impacts your security posture and Compliance with standards like PCI DSS.

Real-World Use Case

An e-commerce platform using Flexible mode exposed credit card data between Cloudflare and the origin server because the origin spoke plain HTTP. An auditor flagged this during PCI Compliance review. Switching to Full Strict with a properly issued origin certificate closed the gap and passed the audit.

How Cloudflare SSL/TLS Modes Work

Cloudflare acts as a reverse proxy. When a Visitor connects, Cloudflare terminates the TLS connection at its edge. Cloudflare then opens a second connection to your origin server. The SSL/TLS mode setting controls how that second connection is secured.

flowchart LR
    V[Visitor Browser] -- TLS Encrypted --> C[Cloudflare Edge]
    C -- Mode-Dependent Encryption --> O[Origin Server]
    
    subgraph Flexible
    C -- HTTP (no encryption) --> O
    end
    
    subgraph Full
    C -- TLS Self-Signed --> O
    end
    
    subgraph Full Strict
    C -- TLS Valid Cert --> O
    end

Off Mode

No encryption at all. Cloudflare forwards requests as-is over HTTP. Only use for testing or public static content that contains no sensitive data.

Flexible Mode

Traffic between the Visitor and Cloudflare is encrypted. Traffic between Cloudflare and the origin is plain HTTP. This is the easiest to set up because the origin does not need a certificate. However, traffic is exposed on the last mile. Cloudflare mentions that Flexible mode should only be used when the origin does not support TLS.

Full Mode

Traffic is encrypted on both legs. The origin must have a certificate installed, but it can be self-signed. Cloudflare does not validate the certificate. Full mode is appropriate when you control the origin infrastructure and can install a certificate but do not have a publicly trusted CA.

Full Strict Mode

Traffic is encrypted on both legs. The origin certificate must be signed by a trusted Certificate Authority (CA). Cloudflare validates the certificate chain, hostname, and expiry. This is the most secure mode and is required for PCI Compliance. Use Full Strict in production whenever possible.

Checking and Changing SSL/TLS Mode

# Using curl to check if your origin supports TLS
curl -vI https://your-origin-server.com --connect-timeout 5 2>&1 | grep "SSL connection"
# Expected output example:
# SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256

The command above tests whether your origin server accepts TLS connections and shows the negotiated protocol and cipher. If curl succeeds, your origin supports TLS and can run Full or Strict mode. If it fails with a connection error, your origin only speaks HTTP and you must use Flexible.

Verifying Cloudflare SSL Mode via API

# Get current SSL setting for a zone
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/ssl" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" | python3 -m json.tool
# Expected output (truncated):
# {
#   "result": {
#     "id": "ssl",
#     "value": "strict",
#     "modified_on": "2025-05-15T10:30:00Z"
#   }
# }

The API returns the current SSL mode for your domain. The value field shows "off", "flexible", "full", or "strict". Use this in automation scripts to enforce encryption policies across multiple zones.

Switching Modes with curl and API

# Set SSL mode to Full Strict
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/ssl" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"value":"strict"}' | python3 -m json.tool
# Expected output:
# {
#   "result": {
#     "id": "ssl",
#     "value": "strict"
#   },
#   "success": true
# }

This API call changes your zone's SSL mode. The success: true field confirms the change. Always verify after changing because a misconfigured Strict mode can take your site offline if the origin certificate is invalid.

Common Errors and Troubleshooting

Error 526: Invalid SSL Certificate

This error occurs when Cloudflare cannot validate the origin certificate. It happens in Full Strict mode when the certificate is expired, self-signed, or issued by an untrusted CA. Solution: downgrade to Full mode temporarily and fix the origin certificate.

Error 525: SSL Handshake Failed

The origin server refused or failed the TLS handshake. This can be caused by mismatched cipher suites, TLS version incompatibility, or a misconfigured server. Solution: check that your origin server supports TLS 1.2 or higher and uses a compatible cipher suite.

Error 520: Origin Returns Unrecognizable Headers

When Cloudflare connects to an origin over HTTPS and the origin returns unexpected headers or no response at all. Solution: verify the origin web server is running and reachable on the expected port.

Mixed Content Warnings

In Flexible mode, the browser loads pages over HTTPS but subresources (images, scripts, stylesheets) load over HTTP from the origin. This triggers browser mixed content warnings. Solution: either upgrade to Full Strict mode or ensure all origin URLs use HTTPS.

Redirect Loops

If the origin server has its own HTTPS redirect (301/302 to https), it can create a loop when Cloudflare tries to connect over HTTP in Flexible mode. Solution: disable HTTPS redirects on the origin server when using Cloudflare Flexible mode.

Practice Questions

  1. Which Cloudflare SSL mode requires a valid, CA-signed certificate on the origin server?
  2. What error code does Cloudflare return when the origin certificate is expired or self-signed in Strict mode?
  3. Why does Flexible mode cause mixed content warnings in the browser?

FAQ

What is the difference between Full and Full Strict mode?

Full mode accepts any certificate including self-signed. Full Strict requires a valid certificate from a trusted CA that matches the origin hostname and has not expired. Full Strict is required for PCI DSS Compliance.

Can I use Flexible mode with sensitive data?

No. Flexible mode leaves the connection between Cloudflare and your origin server unencrypted. Any sensitive data (login credentials, payment info, personal data) is exposed on the last mile. Use Full Strict mode for any site handling sensitive data.

Does changing SSL mode cause downtime?

Changing from Full to Flexible or vice versa is instantaneous and does not cause downtime. Switching to Full Strict can cause downtime if your origin certificate is invalid -- Cloudflare returns error 526. Always test Strict mode on a staging environment first.

Summary

Cloudflare SSL/TLS modes control encryption on the origin-facing leg of the connection. Flexible encrypts only the browser edge. Full encrypts both legs without certificate validation. Full Strict encrypts both legs with full certificate validation. For production workloads, especially those handling sensitive data, Full Strict is the recommended mode. Use the Cloudflare API or dashboard to audit and enforce the correct mode across your zones.

This guide is brought to you by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro -- security-first tools built for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro