How to determine if a website use flexible or full or full strict

Hello everybody,

I was wondering if someone knows a way to determine if a website, protected by Cloudlfare, is secured between the Host and the Cloudfare’s datacenter.
I mean, is it possible to determine if a website use Flexible, Full or Full Strict models from an external view (audit) ?

The situation is : one of my vendor use Cloudfare and claims that he is ISO27001 and PCI-DSS compliant. Just want to make sure that this is not bullshit.

Thanks a lot.

Thank

เขียนว่า:

Not that I’m aware of. You can probably test the “Flexible” part by checking your server logs to see if they’re hitting http or https, but other than a screenshot of their settings, I don’t think you’ll know if it’s full or strict. They’ll still use HTTPS, but could ignore if a certificate is self-signed.

It’s not. But if a customer is claiming PCI compliance they’re likely using our WAF on the Business plan… if they’re going to pay us $200/mo for that the odds that they wouldn’t secure the connection from CF to origin (which costs $0 extra) is pretty low.

Is there any reasons to pay for and maintaining your certificate in order to go down the options for doing the full straight SSL?

If your host will let you install your own certificates, Cloudflare can provide them.

https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates

But why border if full SSL is good enough?

Full (not strict) SSL doesn’t make sure the certificate is actually for your site.

As @sdayman already elaborated, only “Full strict” is secure. Everything else is either not encrypted at all or does not do any of the necessary validation.

If you want security you need to use “Full strict” and “Full strict” only.