In my opinion, this probably wouldn’t work in terms of customer reception.
Sure, we here in the Community know what we’re doing and advocate for HTTPS from browser to origin, but the main pull of Cloudflare (at least for Free websites on shared wordpress setups) is the green padlock without having to pay for their hosting provider to install a certificate.
If this header was implemented, it would only be a matter of time before Troy Hunt exposes a website on twitter for having
cf-security: flexible in their headers on a page which processes logins or payment information. Odds are the company either goes under (lost a large portion of their ecommerce sales) or decides to switch to another CDN or SSL proxy provider which doesn’t expose their bad security practices.
I’m not saying that this is a bad feature, I voted since I always advocate for e2e security, but I don’t see this working out from a financial standpoint. I obviously don’t know the statistics or have any charts on me,but maybe it would just be togglable for debugging and not something that is immediately enforced on everyone.