SSL/TLS Modes -- Flexible, Full, Strict Explained
In this tutorial, you'll learn about SSL/TLS Modes. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloudflare SSL/TLS encryption modes determine how traffic is encrypted between visitors and your origin server -- Flexible encrypts browser-to-Cloudflare only, Full encrypts both legs with a self-signed cert, and Strict requires a valid origin certificate. Choosing the right mode prevents mixed content warnings, secures data in transit, and avoids origin connectivity failures.
Why Encryption Modes Matter
Encryption is not a single on-off switch. Cloudflare gives you four modes (Off, Flexible, Full, Full Strict) that control where and how TLS is applied. Without understanding these modes, you might leave origin traffic unencrypted (Flexible), accept invalid certificates (Full), or break your site by enabling Strict without a valid origin cert. This decision directly impacts your security posture and Compliance with standards like PCI DSS.
Real-World Use Case
An e-commerce platform using Flexible mode exposed credit card data between Cloudflare and the origin server because the origin spoke plain HTTP. An auditor flagged this during PCI Compliance review. Switching to Full Strict with a properly issued origin certificate closed the gap and passed the audit.
How Cloudflare SSL/TLS Modes Work
Cloudflare acts as a reverse proxy. When a Visitor connects, Cloudflare terminates the TLS connection at its edge. Cloudflare then opens a second connection to your origin server. The SSL/TLS mode setting controls how that second connection is secured.
flowchart LR
V[Visitor Browser] -- TLS Encrypted --> C[Cloudflare Edge]
C -- Mode-Dependent Encryption --> O[Origin Server]
subgraph Flexible
C -- HTTP (no encryption) --> O
end
subgraph Full
C -- TLS Self-Signed --> O
end
subgraph Full Strict
C -- TLS Valid Cert --> O
end
Off Mode
No encryption at all. Cloudflare forwards requests as-is over HTTP. Only use for testing or public static content that contains no sensitive data.
Flexible Mode
Traffic between the Visitor and Cloudflare is encrypted. Traffic between Cloudflare and the origin is plain HTTP. This is the easiest to set up because the origin does not need a certificate. However, traffic is exposed on the last mile. Cloudflare mentions that Flexible mode should only be used when the origin does not support TLS.
Full Mode
Traffic is encrypted on both legs. The origin must have a certificate installed, but it can be self-signed. Cloudflare does not validate the certificate. Full mode is appropriate when you control the origin infrastructure and can install a certificate but do not have a publicly trusted CA.
Full Strict Mode
Traffic is encrypted on both legs. The origin certificate must be signed by a trusted Certificate Authority (CA). Cloudflare validates the certificate chain, hostname, and expiry. This is the most secure mode and is required for PCI Compliance. Use Full Strict in production whenever possible.
Checking and Changing SSL/TLS Mode
# Using curl to check if your origin supports TLS
curl -vI https://your-origin-server.com --connect-timeout 5 2>&1 | grep "SSL connection"
# Expected output example:
# SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
The command above tests whether your origin server accepts TLS connections and shows the negotiated protocol and cipher. If curl succeeds, your origin supports TLS and can run Full or Strict mode. If it fails with a connection error, your origin only speaks HTTP and you must use Flexible.
Verifying Cloudflare SSL Mode via API
# Get current SSL setting for a zone
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/ssl" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" | python3 -m json.tool
# Expected output (truncated):
# {
# "result": {
# "id": "ssl",
# "value": "strict",
# "modified_on": "2025-05-15T10:30:00Z"
# }
# }
The API returns the current SSL mode for your domain. The value field shows "off", "flexible", "full", or "strict". Use this in automation scripts to enforce encryption policies across multiple zones.
Switching Modes with curl and API
# Set SSL mode to Full Strict
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/ssl" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value":"strict"}' | python3 -m json.tool
# Expected output:
# {
# "result": {
# "id": "ssl",
# "value": "strict"
# },
# "success": true
# }
This API call changes your zone's SSL mode. The success: true field confirms the change. Always verify after changing because a misconfigured Strict mode can take your site offline if the origin certificate is invalid.
Common Errors and Troubleshooting
Error 526: Invalid SSL Certificate
This error occurs when Cloudflare cannot validate the origin certificate. It happens in Full Strict mode when the certificate is expired, self-signed, or issued by an untrusted CA. Solution: downgrade to Full mode temporarily and fix the origin certificate.
Error 525: SSL Handshake Failed
The origin server refused or failed the TLS handshake. This can be caused by mismatched cipher suites, TLS version incompatibility, or a misconfigured server. Solution: check that your origin server supports TLS 1.2 or higher and uses a compatible cipher suite.
Error 520: Origin Returns Unrecognizable Headers
When Cloudflare connects to an origin over HTTPS and the origin returns unexpected headers or no response at all. Solution: verify the origin web server is running and reachable on the expected port.
Mixed Content Warnings
In Flexible mode, the browser loads pages over HTTPS but subresources (images, scripts, stylesheets) load over HTTP from the origin. This triggers browser mixed content warnings. Solution: either upgrade to Full Strict mode or ensure all origin URLs use HTTPS.
Redirect Loops
If the origin server has its own HTTPS redirect (301/302 to https), it can create a loop when Cloudflare tries to connect over HTTP in Flexible mode. Solution: disable HTTPS redirects on the origin server when using Cloudflare Flexible mode.
Practice Questions
- Which Cloudflare SSL mode requires a valid, CA-signed certificate on the origin server?
- What error code does Cloudflare return when the origin certificate is expired or self-signed in Strict mode?
- Why does Flexible mode cause mixed content warnings in the browser?
FAQ
Summary
Cloudflare SSL/TLS modes control encryption on the origin-facing leg of the connection. Flexible encrypts only the browser edge. Full encrypts both legs without certificate validation. Full Strict encrypts both legs with full certificate validation. For production workloads, especially those handling sensitive data, Full Strict is the recommended mode. Use the Cloudflare API or dashboard to audit and enforce the correct mode across your zones.
This guide is brought to you by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro -- security-first tools built for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro