HTTPS is not secure, and requests are not cached

I have a simple online game (needs Firefox / Chrome or the latest MS Edge)
https://www.theperiodictableofelementsgame.com/

It is hosted on Azure Blog Storage (static website). The Azure endpoint forces me to use HTTPS, so CF to Azure should be secure.

My CF SSL setting is Flexible.

But when I go to my URL the browser says the site is not secure. Can anyone tell me why?

Also, hardly any of the requests have a CF-HIT on them. My page rules are

1:
theperiodictableofelementsgame.com/*
Forwarding URL (Status Code: 301 - Permanent Redirect, Url: https://www.ThePeriodicTableOfElementsGame.com)

2:
www.theperiodictableofelementsgame.com/*
Auto Minify: Off, Browser Cache TTL: 30 minutes, Always Online: On, Cache Level: Cache Everything, Edge Cache TTL: a month, Automatic HTTPS Rewrites: On

Thanks!

It doesn’t appear that this is setup as a proxied service:

% host www.theperiodictableofelementsgame.com
www.theperiodictableofelementsgame.com is an alias for theperiodictablegame.z19.web.core.windows.net.
theperiodictablegame.z19.web.core.windows.net is an alias for web.dsm08prdstr06a.store.core.windows.net.
web.dsm08prdstr06a.store.core.windows.net has address 20.150.43.193

% host -t ns theperiodictableofelementsgame.com
theperiodictableofelementsgame.com name server dee.ns.cloudflare.com.
theperiodictableofelementsgame.com name server dilbert.ns.cloudflare.com.

To fix this, go to your DNS tab and click the grey cloud for “www”:

image

Doesn’t that kinda depend on how he has things set up? I don’t know what the default is, though. But “Full” should work, I believe: “Your origin supports HTTPS, but the certificate installed does not match your domain or is self-signed. Cloudflare will connect to your origin over HTTPS, but will not validate the certificate.”

Of course, it’s better to get it setup right and shouldn’t be hard to do.

Cloudflare will present a valid cert to the browser, of course, once it is being proxied.

Sure. He said he was set to “Flexible” right now. That should work, but yes, it isn’t secure. He is seeing an SSL error in the browser because he isn’t proxied through Cloudflare and the browser will certainly complain about the cert being presented currently. So, configuring the proxy will get him working with users. Then, yes, ideally he would get a cert in place on the origin that is valid. “Secure” is an interesting concept. Even with the invalid cert, traffic will still be encrypted and thus “secure” at one level.

Okay, we can sit here and argue all day long. I have been doing this for 25 years now, so I understand all the angles of the argument reasonably well. OP wasn’t asking to be setup in a “perfectly secure manner”, he was asking to get his site going.

@robertcope That was it, thank you very much!

It solved both the SSL and the cache problem!