“Best” (most secure) would be “Full strict”. For that you need to have a publicly trusted certificate installed on your server though. If you have a certificate but it is not trusted you can fall back to “Full”.
If you cant use HTTPS at all on your machine you could use “Flexible”, but that leaves somewhat of a false impression to your users, as only the connection between them and Cloudflare will be encrypted. The connection onwards to your server will be still HTTP. And “Off” means there is no TLS involved at all and there will be a HTTP redirect should a user connect via HTTPS.