Any reason to not use Full Encryption Mode?


I recently imported all our CNAME records, including those for a web-based application with our domain in it (app . ourdomain . org), and it caused a redirect loop.

The web application’s server was already redirecting from http to https, and apparently Cloudflare was redirecting users back to http, causing a loop, crashing the app’s server.

They’re asking if we can turn on full encryption mode.

Would there be any negative results if I did this? Our other records include:

NS records

A records for our main website

MX records

TXT records for Office 365

SRV records for Lync/Skype

CNAMEs for (I had to alter these so they don’t appear as actual links): outlook autodiscover, lync, login microsoftonline com,, sipdir-lync, and our VPN.

As an alternative, they suggested that we switch the CNAMEs for their app from Proxied to DNS only, which I’ve now done.

Thank you!

Full (Strict) is best. Full (not strict) is pretty good, so it’s definitely a good idea to use one of the Full modes. Web servers should have TLS/SSL certificates on them.

:wave: @mapplebaum

Office 365 records should not be proxied, so The settings you use for :orange: won’t apply to those hosts.

— OG

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.