How to determine if a website use flexible or full or full strict


Hello everybody,

I was wondering if someone knows a way to determine if a website, protected by Cloudlfare, is secured between the Host and the Cloudfare’s datacenter.
I mean, is it possible to determine if a website use Flexible, Full or Full Strict models from an external view (audit) ?

The situation is : one of my vendor use Cloudfare and claims that he is ISO27001 and PCI-DSS compliant. Just want to make sure that this is not bullshit.

Thanks a lot.





Not that I’m aware of. You can probably test the “Flexible” part by checking your server logs to see if they’re hitting http or https, but other than a screenshot of their settings, I don’t think you’ll know if it’s full or strict. They’ll still use HTTPS, but could ignore if a certificate is self-signed.


It’s not. But if a customer is claiming PCI compliance they’re likely using our WAF on the Business plan… if they’re going to pay us $200/mo for that the odds that they wouldn’t secure the connection from CF to origin (which costs $0 extra) is pretty low.