Skip to content

How to Choose Cloudflare SSL Mode (Flexible, Full, Strict)

DodaTech 3 min read

In this tutorial, you'll learn about How to Choose Cloudflare SSL Mode (Flexible, Full, Strict). We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

The Problem

Cloudflare offers three SSL/TLS encryption modes: Flexible, Full, and Strict. Choosing the wrong mode can leave traffic unencrypted between Cloudflare and your origin server, or cause browser warnings.

Quick Fix

Step 1: Check your current SSL mode

In the Cloudflare Dashboard:

  1. Select your domain.
  2. Go to SSL/TLS > Overview.
  3. See the currently selected mode.

Step 2: Understand the three modes

Flexible — Encrypts traffic between the Visitor and Cloudflare only. Traffic from Cloudflare to your origin is over HTTP. Use only when your origin does not support HTTPS or has a self-signed certificate.

Full — Encrypts traffic both ways, but Cloudflare does not verify your origin certificate. Use when your origin has HTTPS with a certificate that may be self-signed or expired.

Full (Strict) — Encrypts both ways and requires a valid, trusted certificate on your origin. This is the recommended mode for production.

Step 3: Set to Full (Strict)

  1. In SSL/TLS > Overview, select Full (Strict).
  2. Ensure your origin server has a valid SSL certificate from a trusted CA (Let's Encrypt, ZeroSSL, or a paid CA).

This is the safest option. Cloudflare validates the origin certificate on every connection and will not fall back to unencrypted HTTP.

Step 4: Configure the origin certificate for Strict

If your origin is behind Cloudflare, install an origin certificate:

  1. Go to SSL/TLS > Origin Server.
  2. Click Create Certificate.
  3. Select the hostnames and validity period.
  4. Copy the certificate and key to your origin server.
sudo tee /etc/ssl/cloudflare-origin.pem > /dev/null << 'EOF'
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF

Step 5: Configure your web server for Strict

For Nginx:

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /etc/ssl/cloudflare-origin.pem;
    ssl_certificate_key /etc/ssl/cloudflare-origin.key;
}

Step 6: Test the SSL mode

curl -I https://example.com | grep -i "cf-ray"

A valid cf-ray header confirms the connection is proxied through Cloudflare.

Step 7: Verify no mixed-content warnings

curl https://example.com | grep -i "http://"

If your HTML includes http:// URLs for assets, browsers may show mixed-content warnings even with Strict mode.

Alternative Solutions

If your origin cannot support HTTPS, use Flexible, but understand that the origin-to-Cloudflare leg is unencrypted. Upgrade your origin as soon as possible.

Common Errors

Browser shows "ERR_SSL_VERSION_OR_CIPHER_MISMATCH": The origin server does not support the same TLS version that Cloudflare negotiates. Ensure the origin runs TLS 1.2 or higher.

Cloudflare returns 521/522 errors in Strict mode: The origin certificate is invalid or expired. Verify with openssl s_client -connect origin-host:443 and check the certificate dates.

Mixed content warnings in Flexible mode: Since traffic to the origin is HTTP, any HTTPS page loading resources over HTTP triggers mixed content warnings. Use Strict mode to avoid this.

Origin certificate not trusted: In Strict mode, Cloudflare validates the origin certificate against the system CA store. Use a certificate from a trusted CA or a Cloudflare Origin Certificate.

Prevention

  • Always use Full (Strict) for production sites.
  • Never use Flexible for sensitive data (logins, payments, APIs).
  • Set up automatic certificate renewal on your origin server.
  • Test with a staging domain before changing modes on production.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro