Cloudflare SSL Modes Explained — Off, Flexible, Full, Full (Strict)
Compare Cloudflare's four SSL/TLS encryption modes and learn which one to choose for your site.
Diagnose your site now
Problem
You’re using Cloudflare and need to choose the right SSL/TLS encryption mode, or you’re experiencing SSL-related errors like redirect loops or mixed content.
Mode Comparison
| Mode | Visitor → Cloudflare | Cloudflare → Origin | Origin Cert Required |
|---|---|---|---|
| Off | HTTP (no encryption) | HTTP | No |
| Flexible | HTTPS | HTTP (unencrypted!) | No |
| Full | HTTPS | HTTPS | Yes (self-signed OK) |
| Full (Strict) | HTTPS | HTTPS | Yes (valid CA cert) |
Top 3 Mistakes
- Using Flexible mode — Traffic between Cloudflare and your origin is unencrypted. Anyone on the network path can intercept data.
- Flexible + origin HTTPS redirect = redirect loop — Cloudflare sends HTTP to origin, origin redirects to HTTPS, Cloudflare sends HTTP again. Infinite loop.
- Full without a valid cert — Full mode accepts self-signed certs, which means Cloudflare doesn’t verify the origin’s identity. Use Full (Strict) with a proper certificate.
Diagnosis with DechoNet
- SSL Check — Verify your origin server’s certificate is valid, not expired, and covers the correct domains.
- HTTP Check — Look for redirect chains that might indicate a Flexible/redirect loop issue.
Resolution Checklist
- Set Cloudflare SSL/TLS mode to Full (Strict).
- Install a valid SSL certificate on your origin server (Let’s Encrypt or Cloudflare Origin CA).
- If using Cloudflare Origin CA, note it’s only trusted by Cloudflare — direct access will show a certificate warning.
- Disable “Always Use HTTPS” on Cloudflare if your origin already handles redirects, to avoid double-redirect.
- After changing modes, test with DechoNet HTTP Check for redirect loops and SSL Check for certificate validity.
Related Tools
Related Guides
Share this guide
[Ad] Guide Detail Inline