Tutorial

Cloudflare SSL Modes Explained: Off vs Flexible vs Full vs Full Strict

April 15, 2026

Back to Blog
Tutorial April 15, 2026

Cloudflare offers four SSL/TLS encryption modes, and choosing the wrong one is the number one cause of website configuration issues behind Cloudflare. Confusing names like "Flexible" and "Full" mask critical differences in security and behavior. In this guide, we will break down exactly what each mode does, visualize the encryption at every hop, and explain why Full (Strict) is the only mode you should use in production.

Quick Answer: If you just want to know which mode to use — it is Full (Strict). Always. For every site. No exceptions. Read on to understand why.

The Four SSL Modes: Visual Overview

Before diving into the details, let us see all four modes side by side. Pay attention to what happens between Cloudflare and your origin server — that is where the critical difference lies.

Mode 1: Off (Not Recommended)

Browser
HTTP ✗
No encryption
Cloudflare
(Pass-through)
HTTP ✗
No encryption
Origin Server
SSL Off: No encryption anywhere. All traffic between the visitor, Cloudflare, and your server is transmitted in plain text. Anyone on the network can read passwords, personal data, and session cookies. There is absolutely no reason to use this mode. Modern browsers will flag your site as "Not Secure," and Google penalizes HTTP-only sites in search rankings.

When SSL is off, Cloudflare acts as a simple DNS proxy. It does not terminate SSL, does not show a padlock in the browser, and does not provide any encryption benefits. Your visitors are completely exposed to eavesdropping and man-in-the-middle attacks. Even for development or testing purposes, this mode should be avoided because it creates habits that lead to security incidents in production.

Mode 2: Flexible

Browser
HTTPS ✓
Encrypted
Cloudflare
(Terminates SSL)
HTTP ✗
Plain text!
Origin Server
Flexible SSL: The Dangerous Illusion. The visitor sees a padlock icon and "HTTPS" in the address bar, which suggests the connection is secure. But the traffic between Cloudflare and your origin server travels over unencrypted HTTP. This is a false sense of security. Anyone positioned between Cloudflare's data center and your server (ISP, data center staff, network attacker) can read all traffic in plain text.

Flexible mode was originally introduced by Cloudflare as a stepping stone for sites that did not have SSL certificates installed on their origin servers. The idea was that some encryption (browser to Cloudflare) is better than none. While this logic has a grain of truth, Flexible mode creates two serious problems:

Problem 1: Redirect Loops

If your origin server has any HTTPS redirect rule (which most modern servers do), Flexible mode creates an infinite redirect loop. Cloudflare sends HTTP to your server, your server redirects to HTTPS, Cloudflare sends HTTP again, and the cycle repeats until the browser gives up with ERR_TOO_MANY_REDIRECTS.

Problem 2: False Security

Visitors believe their connection is fully encrypted because they see the padlock icon. In reality, their data is exposed on the backend. This is worse than having no HTTPS at all, because at least with plain HTTP, visitors know they are not protected and can choose not to submit sensitive information.

Common misconception: "I don't have an SSL certificate, so Flexible is my only option." This is false. Free SSL certificates from Let's Encrypt can be issued in under a minute, and Cloudflare itself offers free Origin CA certificates that are valid for 15 years. There is never a valid reason to use Flexible mode.

Mode 3: Full

Browser
HTTPS ✓
Encrypted
Cloudflare
(Terminates SSL)
HTTPS ✓
Encrypted, but...
Origin Server
Any cert accepted
Full SSL: Better, but not bulletproof. Both connections are encrypted, which is a significant improvement over Flexible. However, Cloudflare does not validate the origin server's SSL certificate. This means a self-signed, expired, or even fraudulent certificate will be accepted without warning.

Full mode encrypts traffic in both directions, which eliminates the redirect loop problem and protects against passive eavesdropping. However, the lack of certificate validation leaves the door open for a sophisticated man-in-the-middle attack. If an attacker can position themselves between Cloudflare and your origin server (for example, through DNS hijacking or a compromised network), they could present their own certificate and intercept all traffic. Cloudflare would accept it without question.

This mode is acceptable as a temporary measure while you are setting up a proper SSL certificate. It should not be used as a permanent configuration for any site that handles user data, passwords, or payment information.

Mode 4: Full (Strict)

Browser
HTTPS ✓
Encrypted
Cloudflare
(Terminates SSL)
HTTPS ✓
Encrypted + Validated
Origin Server
Valid CA certificate
Full (Strict): The Gold Standard. Both connections are encrypted, and Cloudflare validates that the origin server's SSL certificate is issued by a trusted Certificate Authority, is not expired, and matches the domain name. This provides complete end-to-end encryption with authentication, eliminating all known attack vectors.

Full (Strict) mode provides the same level of security that a direct HTTPS connection would, with the added benefits of Cloudflare's CDN, DDoS protection, and WAF. The origin certificate must be one of the following:

  • A certificate issued by a public Certificate Authority (e.g., Let's Encrypt, DigiCert, Comodo)
  • A Cloudflare Origin CA certificate (free, valid for up to 15 years)
  • A certificate that is not expired and matches the domain name (including wildcards)

Complete Comparison Table

Here is a detailed comparison of all four modes across every important dimension:

Feature Off Flexible Full Full (Strict)
Browser ↔ Cloudflare HTTP HTTPS HTTPS HTTPS
Cloudflare ↔ Origin HTTP HTTP HTTPS HTTPS
Origin Certificate Required? No No Any (self-signed OK) Valid CA-issued
Certificate Validated? N/A N/A No Yes
Redirect Loop Risk None High None None
MITM Attack Risk High Medium Low Minimal
Passive Eavesdropping Vulnerable Partially Protected Protected
Browser Padlock No Yes Yes Yes
SEO Impact Negative Positive Positive Positive
PCI DSS Compliant? No No Partial Yes
Recommended? Never Never Temporary Always

Why Flexible SSL Is Dangerous

Flexible SSL deserves extra scrutiny because it is both the most commonly selected wrong option and the most deceptively dangerous one. Let us examine why it fails on multiple levels.

The Padlock Lie: When a visitor sees the padlock icon in their browser, they trust that their entire connection is secure. With Flexible SSL, this trust is misplaced. The padlock only indicates that the connection from the browser to Cloudflare is encrypted. The second half of the journey — from Cloudflare to the origin server — is completely unprotected.

Scenario: An E-commerce Site on Flexible SSL

Imagine a customer submitting their credit card number on an e-commerce site using Flexible SSL. They see the padlock, they feel safe. Here is what actually happens to their data:

Customer
Enters CC#
Encrypted
to Cloudflare
Plain Text!
to Origin
Origin Server
Processes payment

The credit card number travels in plain text from Cloudflare's data center to the origin server. Any network device, monitoring system, or malicious actor along that path can read it. This is a PCI DSS violation and potentially a legal liability for the website owner.

The Redirect Loop Problem

Beyond security, Flexible mode also causes the most common Cloudflare technical issue: the infinite redirect loop. Nearly every modern web server and CMS is configured to redirect HTTP traffic to HTTPS. When Cloudflare sends HTTP requests to the origin (as Flexible mode does), the server dutifully redirects to HTTPS, which Cloudflare intercepts and sends as HTTP again. The result: ERR_TOO_MANY_REDIRECTS and a completely inaccessible website.

This affects WordPress, Drupal, Laravel, Django, Rails — essentially any framework or CMS that follows modern security practices. If you have enabled HTTPS redirects on your server (which you should), Flexible mode will break your site.

When to Use Each Mode

Off — NEVER

There is no legitimate use case for disabling SSL entirely. Even for internal tools or development environments, HTTPS should be used. The performance overhead of SSL is negligible on modern hardware, and the security benefits are non-negotiable.

Do not use

Flexible — NEVER

Flexible provides a false sense of security and causes redirect loops with most server configurations. Free SSL certificates eliminate the only historical reason for this mode's existence. If your hosting provider does not support SSL, switch providers.

Do not use

Full — Temporary Only

Acceptable for a brief transition period while you are obtaining and installing a proper SSL certificate on your origin. Should not remain as a permanent setting. The lack of certificate validation leaves a security gap that sophisticated attackers can exploit.

Temporary use only

Full (Strict) — ALWAYS

The only mode that provides genuine end-to-end encryption with certificate validation. Use this for every website, every domain, every time. Free certificates from Let's Encrypt or Cloudflare Origin CA make this accessible to everyone at zero cost.

Recommended

How to Set Up Full (Strict) Mode

Setting up Full (Strict) requires two things: a valid SSL certificate on your origin server and the correct Cloudflare setting. Here is the complete process:

Step A: Get an Origin SSL Certificate

You have two excellent free options:

Option 1: Let's Encrypt

The most popular free CA, trusted by all browsers. Certificates are valid for 90 days and can be auto-renewed. Available through most hosting panels (cPanel, Plesk, Panelica) or via Certbot on the command line.

# Install via Certbot
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Option 2: Cloudflare Origin CA

Issued directly by Cloudflare, valid for up to 15 years. Only trusted when traffic passes through Cloudflare (not for direct connections). Perfect for sites that will always use Cloudflare.

Generate from: SSL/TLS → Origin Server → Create Certificate

Step B: Configure Cloudflare

1
Set SSL Mode to Full (Strict)

In the Cloudflare dashboard, go to SSL/TLS → Overview and select Full (Strict). This ensures Cloudflare connects to your origin over HTTPS and validates the certificate.

2
Enable Always Use HTTPS

Under SSL/TLS → Edge Certificates, enable Always Use HTTPS. This automatically redirects all HTTP requests to HTTPS at the Cloudflare edge, before they even reach your server.

3
Enable Automatic HTTPS Rewrites

Also under Edge Certificates, enable Automatic HTTPS Rewrites. This rewrites HTTP URLs in your HTML to HTTPS, preventing mixed content warnings without code changes.

4
Set Minimum TLS Version

Set the minimum TLS version to TLS 1.2 (or TLS 1.3 if all your visitors use modern browsers). This disables old, vulnerable protocol versions that are susceptible to known attacks like POODLE and BEAST.

5
Test Your Configuration

Open your site in a browser, check for the padlock icon, and verify there are no mixed content warnings in the developer console (F12 → Console). Use SSL Labs for a comprehensive assessment of your SSL configuration.

Expected Result: Your site loads over HTTPS with a valid certificate, no mixed content warnings, and an A or A+ rating on SSL Labs. Both the browser-to-Cloudflare and Cloudflare-to-origin connections are fully encrypted and authenticated.

Panelica: SSL Done Right, Automatically

If you manage your servers through Panelica, SSL configuration is handled automatically. Here is what Panelica does for every domain:

Add Domain
in Panelica
Auto-Issue
Let's Encrypt
Configure
Nginx SSL
Set Cloudflare
Full (Strict)
Auto-Renew
Every 60 days

Zero-Touch SSL Issuance

When you add a domain, Panelica automatically requests and installs a Let's Encrypt certificate. No manual commands, no DNS challenges to configure, no waiting. The certificate is ready within seconds of DNS propagation.

Automatic Renewal

Certificates are automatically renewed 30 days before expiry. The renewal happens in the background with zero downtime. You receive a notification in the panel if any renewal encounters issues.

Cloudflare Integration

If your domain uses Cloudflare, Panelica's Cloudflare tab lets you manage SSL mode, DNS records, cache, and security settings from one place. The default SSL mode is always Full (Strict).

Nginx Pre-Configuration

Every virtual host is generated with proper SSL directives, HSTS headers, OCSP stapling, and modern cipher suites. The configuration follows Mozilla's recommended "Modern" profile for maximum security.

Frequently Asked Questions

Can I use Flexible mode if I do not have a server SSL certificate?

Technically yes, but you should not. Free certificates from Let's Encrypt take less than a minute to issue. Cloudflare also offers free Origin CA certificates. There is no valid reason to skip origin SSL in 2026. Use Full (Strict) instead.

What is the difference between Full and Full (Strict)?

Full encrypts traffic to the origin but accepts any certificate, including self-signed, expired, or invalid ones. Full (Strict) requires a valid certificate from a trusted CA and verifies the domain name matches. Full (Strict) protects against man-in-the-middle attacks; Full does not.

Will changing SSL mode cause downtime?

No. Cloudflare applies SSL mode changes instantly without any downtime. However, if you switch from Flexible to Full/Full (Strict) without an origin SSL certificate installed, your site will show a 526 (Invalid SSL Certificate) error. Always install the certificate first, then change the mode.

Does Flexible mode cause redirect loops?

Yes, in most cases. Any server configured to redirect HTTP to HTTPS will create an infinite loop with Flexible mode, because Cloudflare sends HTTP to the origin. The server redirects to HTTPS, Cloudflare sends HTTP again, and the loop continues. This manifests as ERR_TOO_MANY_REDIRECTS in the browser.

Is a self-signed certificate acceptable for Full mode?

Yes, Full mode accepts self-signed certificates. However, this provides encryption without authentication — you cannot be certain you are communicating with the real origin server. For production sites, always use Full (Strict) with a CA-signed certificate.

Can I use different SSL modes for different subdomains?

Not directly through the SSL/TLS settings, which apply to the entire zone. However, you can use Configuration Rules (available on Business and Enterprise plans) to set different SSL modes per hostname. On free and Pro plans, the SSL mode applies globally to all hostnames under the zone.

What about Cloudflare's "Strict (SSL-Only Origin Pull)" option?

This is an additional security feature (under SSL/TLS → Origin Server) that ensures your origin server only accepts connections from Cloudflare. When enabled, your origin rejects direct connections, preventing attackers from bypassing Cloudflare entirely. This works alongside Full (Strict) mode for maximum security.

Summary

Cloudflare's SSL modes control how traffic is encrypted between Cloudflare and your origin server. The browser-to-Cloudflare connection is always HTTPS (except in Off mode), but the origin connection varies dramatically by mode. Here is the final recommendation:

Off
Flexible
Full
(temporary)
Full (Strict)
USE THIS

Install a free SSL certificate on your origin server, set Cloudflare to Full (Strict), enable Always Use HTTPS and Automatic HTTPS Rewrites, and set the minimum TLS version to 1.2. This provides the strongest possible encryption configuration with zero additional cost. If you use Panelica, all of this is configured automatically for every domain you add.

Share:

More from the Blog

Announcement

Hosting Panel Benchmark 2026: Installation, Memory, Security Compared

Independent benchmark of Panelica, cPanel, Plesk, HestiaCP, CloudPanel, and CyberPanel on identical hardware. Real numbers on install time, RAM usage, disk footprint, and default security.

Apr 13, 2026
Read more
Tutorial

SSL Certificate Management: AutoSSL vs Let us Encrypt — cPanel vs Plesk vs Panelica

How each hosting panel handles SSL certificates: issuance, renewal, wildcard support, and custom certificate management. Includes technical details on ACME implementation and automation.

Apr 16, 2026
Read more
Tutorial

Email Management: cPanel vs Plesk vs Panelica — DKIM, SPF, Webmail Compared

A feature-by-feature comparison of email hosting capabilities in cPanel, Plesk, and Panelica. Covers DKIM key generation, SPF/DMARC automation, webmail integration, spam filtering, and deliverability.

Apr 14, 2026
Read more
Tutorial

cPanel to Panelica Migration: Email, Database, DNS — Zero Data Loss

A detailed technical walkthrough of migrating from cPanel/WHM to Panelica. Covers automatic panel detection, MySQL hash preservation, email migration with DKIM, and checkpoint-based file transfer.

Apr 12, 2026
Read more
Tutorial

How to Migrate from Plesk to Panelica: Complete Step-by-Step Guide

A complete technical guide to migrating all websites, databases, email accounts, and SSL certificates from a Plesk server to Panelica using the built-in universal migration tool.

Apr 11, 2026
Read more