Client Login

Cloudflare SSL Configuration and Flexible/Strict Mode (which to use)

Cloudflare is a content delivery network used to improve the security and performance of a website. When setting up Cloudflare on an account, there are different options to choose from which is the Flexible and Strict options. A look at both options will give an insight on the best option to use.

CloudFlare Flexible SSL

Flexible SSL is a way for non-secure websites (those running over HTTP) to appear secure (HTTPS). Setting the encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your webserver are made through HTTP. As a result, it does not require you to purchase an SSL certificate but the site visitors will still access the site via HTTPS and see the green padlock in the browser without any warnings. You can use the Flexible mode only if you do not have an SSL certificate, do not use this option if you have added an SSL certificate to your domain.

The flexible mode might sound like a good option, but it has serious consequences, visitors can no longer tell if a site is fully secured or it is just encrypted by Cloudflare. It will be quite difficult for anyone to enter their card details on a website that is not loading with HTTPS and since they cannot tell if it has been routed through Cloudflare flexible mode, it poses a severe problem. This setting is NOT recommended if you have sensitive information on your website. Cloudflare also recommend against the use of flexible SSL and should be used only if you are unable to set up SSL on your website.

CloudFlare SSL Strict Mode

SSL Full (Strict) is for Valid SSL Certificate users, it means Cloudflare encrypts the traffic and checks the validity of your certificate.If you use Cloudflare, it is advisable to use the Strict mode which provides a higher level of security. It's the only way to really ensure secure communication over the internet. When you set your encryption mode to strict, Cloudflare runs everything in strict mode, but it also enforces stricter requirements for root certificates. It is a mechanism that declares that a website or web application can only be reached via a secure HTTPS connection. It is another brick in the wall of defence against fraud.

Any other choice that is not a professionally signed or let's encrypt certificate is not fully secure and will not work with Cloudflare's Full SSL(Strict) setup. Without using the strict mode , a malicious party could technically hijack the connection and present their own certificate. It no longer costs anything to obtain an SSL certificate and we offer services like Let's Encrypt SSL certificate to secure your website for free.

The connection between the user and Cloudflare and from Cloudflare to Verpex is secure. Your visitors will see HTTPS and a secure padlock in their browser. An application that contains sensitive information should always use Strict mode instead.

For the best security, choose strict mode always.