Https required without redirect


I need the requests with https to pass while the http requests to get 403.

I can do this with code but in this case I will need to ca origin on my server to make the ssl to be full, I tried already a lot with this but it is a lot of steps and I failed at the end.

So, I’m asking for internal feature that make all requests to be https required but I do not want to go with redirecting http to https because in this case the both will still working.

please advise.


I have a mobile app which will call an api so I want to make sure that the keys and params are encrypted if the mobile app wifi has any sniffer, so redirect will keep user can call http request which is not secured.

That is why I want to restrict all calls to only https and deny the http.

If this is not available, so what are the options I have?

In flex plan Cloudflare get https but it is sending http to me, so it not suitable.
After some search I found that I have to make the ssl to be FULL to make sure that the https will be passed from Cloudflare to host server, then I can check the request schema on server side and return 403 if it is not https.

So, I started with adding Origin Certificates to make my server able to run https but it is a very complicated to install the certificates on the server (currently it is my machine windows 10 with IIS 10).

Even if you reject HTTP requests, the request will be still sent in plain text if the application chooses to do so. Rejecting or redirecting wont change that. Assuming you control that application’s code I’d suggest to simply ensure everything is on HTTPS.

1 Like

Yes, but will not work so the mobile app developers will have to change their schema.

But in redirect case, I will also always receive https from Cloudflare and no not know if it is an original request or it was http and redirected to https.

If there any way to now that the request was http and redirected (may via header with the original request) everything will be great?

You’d first need to set your SSL mode to “Full strict”, then enable “Always use HTTPS”. In this way requests can be still sent via HTTP but they will receive a redirect to HTTPS and have to send the request a second time and only then it will be forwarded to your origin.

Implementing a bad feature to work around a problem is probably not the right direction. If you have tried installing a Cloudflare origin certificate (or another cert on your origin and failed, you should work (with the community or other resources) to resolve that issue.

In your current scenario, even if you could block inbound requests on port 80, you are still planning to make an insecure request from Cloudflare to the origin over port 80. If insecure requests are being blocked from user to Cloudflare because you want them to be secure, it would be a really bad idea to then make the request to from Cloudflare to your origin over 80. Either the data needs to be secured or it doesn’t. Since you’ve stated it does, the correct solution is to get a properly configured cert on the origin.

I agree so I will try again :slight_smile: Thanks

From your original posting I did not have the impression you planned to use Flexible. Is that not right? If it isnt it would have been one bad decision, not only but also because you seemed to be particularly concerned about security.

Yes, I wanted to use Flex plan (because I wanted to run away from installing origin certificate on my machine as it is not easy) with feature from your side to prevent non HTTPS users (prevent them, not redirect them).

After some other tries some how finally the origin certificate worked :slight_smile: so yes I should invest some time in install the certificate from the beginning. But I think it will be great ans awesome feature if Cloudflare support to select prevent non https users in the flex plan.

Thanks a lot for you and also thanks for cscharff.

That contradicts Https required without redirect - #3 by development4 now.

Anyhow, Flexible should never be used in regular cases but only for a handful of use cases where one knows exactly what he is doing.

Please see my earlier replies, there would be little point in such a feature as you wouldnt get any security benefit.

You can use a self-signed cert with Full, anyway if it’s too hard for you the simplest way to do what you want is to make a page rule:* forwarding URL to a 403 page


It might be quicker to create a Firewall Rule to block that url.


How was that with the wood and the trees? :blush:

:+1: :+1: :+1: :+1:

Still not an excuse for “Flexible” though :smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.