← Back to Blog
tutorial

Cloudflare SSL Setup Guide: Flexible vs Full vs Full Strict Explained (2026)

Cloudflare sits between your visitors and your web server. When a visitor loads your site, they're actually connecting to Cloudflare's edge network — and Cloudflare makes a second connection to your origin server. That means SSL involves two separate connections, and your SSL mode controls what happens on each leg.

🔒

Free SSL Checker

Confirm your Cloudflare SSL is active and the certificate is correct.

Try It Free →

Full

Visitor → Cloudflare: HTTPS
Cloudflare → Your Server: HTTPS (accepts self-signed)

✓ OK for legacy setups

Full (Strict)

Visitor → Cloudflare: HTTPS
Cloudflare → Your Server: HTTPS (CA-signed or Cloudflare Origin CA required)

✓ Recommended

Flexible SSL: Why It's Dangerous

With Flexible, Cloudflare serves your site over HTTPS to visitors — so the browser shows the padlock. But behind the scenes, Cloudflare fetches content from your server over plain HTTP. Your visitors' data (login credentials, form submissions, payment details) travels encrypted to Cloudflare, but then Cloudflare sends it unencrypted to your server.

Anyone who can intercept traffic between Cloudflare and your hosting server — your hosting provider, a compromised datacenter link, a misconfigured proxy — sees it in plaintext. The padlock in the browser gives visitors false confidence that their connection is private end-to-end when it isn't.

Never use Flexible if your site handles login, personal data, or payments. The HTTPS padlock only covers the Cloudflare edge — the origin leg is completely unprotected.

Full SSL: Better, But Not Fully Trustworthy

Full SSL encrypts both connections. Cloudflare connects to your origin over HTTPS, which is correct. However, Full mode accepts any certificate on your origin — including self-signed certificates with no CA validation. If an attacker could somehow substitute a rogue server between Cloudflare and your origin, Full mode wouldn't catch it because it doesn't verify the certificate's identity.

Full mode is acceptable when you need to migrate from Flexible to Strict and your origin doesn't yet have a valid CA certificate, but treat it as a temporary state, not a permanent configuration.

Full (Strict): The Right Choice

Full (Strict) requires your origin server to present a valid, trusted certificate — either from a public CA or from Cloudflare's own Origin CA. This is the only mode that provides genuine end-to-end security. Use this unless you have a specific technical reason not to.

Cloudflare offers a free Origin CA certificate you can install on your web server. It's trusted by Cloudflare but not by public browsers directly — which is fine, because when using Cloudflare, the browser never connects to your origin directly; it always goes through Cloudflare's edge.

How to Set Up Cloudflare SSL (Step by Step)

Step 1: Add Your Domain to Cloudflare

Sign up at cloudflare.com, click "Add a Site," and enter your domain. Cloudflare will scan your existing DNS records and import them. Follow the setup wizard to update your domain's nameservers to Cloudflare's.

Step 2: Install a Certificate on Your Origin Server

Before switching the SSL mode to Full Strict, you need a valid certificate on your origin:

Option A: Cloudflare Origin CA Certificate (recommended for Cloudflare-only traffic)

In the Cloudflare dashboard, go to SSL/TLS → Origin Server → Create Certificate. Generate the certificate and private key, then install them on your server exactly like you would a Let's Encrypt certificate:

# Apache — add to your VirtualHost *:443 block SSLCertificateFile /etc/ssl/cloudflare-origin.pem SSLCertificateKeyFile /etc/ssl/cloudflare-origin.key # Nginx — inside your server { listen 443 ssl; } block ssl_certificate /etc/ssl/cloudflare-origin.pem; ssl_certificate_key /etc/ssl/cloudflare-origin.key;

Option B: Let's Encrypt Certificate

If your site sometimes gets direct traffic (not through Cloudflare), use Let's Encrypt instead — it's trusted by all browsers, not just Cloudflare. Install with Certbot as you normally would.

Step 3: Set SSL Mode to Full (Strict)

In Cloudflare dashboard: SSL/TLS → Overview → Full (Strict). Select it and save. Cloudflare will now verify your origin certificate on every request.

Step 4: Enable "Always Use HTTPS"

While in SSL/TLS settings, also enable Always Use HTTPS under the Edge Certificates tab. This ensures any HTTP request to your Cloudflare-proxied domain gets a 301 redirect to HTTPS at the edge level.

Step 5: Enable HSTS (Optional but Recommended)

In the same Edge Certificates tab, configure HTTP Strict Transport Security (HSTS). Start with a short max-age (300 seconds) to test, then increase to a year once you're confident everything works. See our HSTS guide for details on the risks of enabling preload.

Cloudflare SSL Common Issues

Error 526: Invalid SSL Certificate

Cloudflare can't validate your origin certificate when using Full (Strict). Causes: expired certificate, self-signed cert not recognized (because you're in Strict mode), or hostname mismatch. Fix: install the Cloudflare Origin CA certificate or a valid Let's Encrypt cert on your origin.

Redirect Loop (Too Many Redirects)

Your origin is set to redirect HTTP to HTTPS, but Cloudflare is connecting to your origin over HTTP (Flexible mode) and then redirecting — creating a loop. Fix: switch to Full or Full (Strict) mode so Cloudflare connects to your origin over HTTPS directly, or disable the origin-level HTTP redirect and let Cloudflare handle it with "Always Use HTTPS."

Mixed Content on HTTPS Pages

Your HTML is served over HTTPS but references assets (images, scripts) over HTTP. Cloudflare's Automatic HTTPS Rewrites feature can fix most of these automatically. Find it under SSL/TLS → Edge Certificates → Automatic HTTPS Rewrites.

Test your full SSL chain after switching modes. Use our SSL Checker with your domain to confirm the certificate at the Cloudflare edge is valid, the chain is complete, and there are no mixed content or redirect issues.

Cloudflare vs Direct Certificate: What Gets Checked

When you run an SSL checker tool against a Cloudflare-proxied domain, you're checking the certificate Cloudflare presents at the edge — not the one on your origin server. Both need to be valid, but they can be different certificates. If you want to check your origin certificate directly, you need to bypass Cloudflare by connecting to your server's IP address directly.

FAQs


Verify your SSL configuration end-to-end

Check certificate validity, chain completeness, and TLS configuration on your Cloudflare-proxied domain.