SSL gets B grade from ssllabs.com when proxied

SSL is getting B grade and not A when in Full (strict) when proxied. When proxy bypassed and routes directly to hosting servers SSL gets A grade according to ssllabs.com It must be an issue here in Cloudflare configuration. How can I configure it on Cloudflare to get grade A on SSL?

Ensure TLSv1.3 is enabled, set minimum TLS to TLSv1.2, enable HSTS if you are sure you will always only serve HTTPS. Should be enough to get A+.

In which section?

In the dashboard here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

Should I activate advanced certificate manager?

No, not to improve your “score”. Universal SSL covers your domain and one-level of subdomain which I assume is all you have.

I turned on ALWAYS USE HTTPS since the website uses https,Minimum TLS version is v1.3, Opportunistic encryption On, TLS 1.3 is ON, Automatic HTTPS Rewrites is OFF. Is this all correct?

This may be too high, some devices may not support that so you could be closed to a number of visitors, v1.2 is a good tradeoff between secure protocols and compatibility.

Best to have this on in case you have any mixed HTTP/HTTPS content so Cloudflare can fix this for you.

So far this is the set up. Is this the best set up settings so far? Also what about - Enable HSTS and Disable Universal SSL ? By the way, the website is on Hostinger lifetime SSL:

Always Use HTTPS - On

Enable HSTS - ?

Minimum TLS Version - TLS 1.2

Opportunistic Encryption - On

TLS 1.3 - On

Automatic HTTPS Rewrites - On

Disable Universal SSL - ?

SSL Labs will not see the Hostinger SSL certificate as your site is proxied, only Cloudflare will use that certificate.

As mentioned above, this can be turned on, but only if you are sure you won’t need HTTP for some time (default is 6 months). Enabling HSTS will tell browsers to always use HTTPS only for that period, even if you turn HSTS off.

This must remain on while your site is proxied to provide the SSL certificate on the Cloudflare edge which is the SSL connection SSL Labs will see.

When saying “HSTS will tell browsers to always use HTTPS only for that period, even if turning HSTS off” You mean when “Always Use HTTPS is On” while HSTS is off?

No, it means a browser that has already connected to your site while HSTS is enabled will not be able to use HTTP for, say, 6 months, so your site would be inaccessible if HTTPS is not used. If you plan to always offer HTTPS for all pages on your site, then there is no issue.

See here for more details…

If unsure, leave it off and see how your site SSL scores anyway.

Does https protect the website from being attacked by the bad actors competitors vs http? Can the website’s affiliate links be vulnerable to the attackers if http is used in the mix? Does https has actually anything to do with protection of the affiliate links vs protecting the website itself with other means like security plugins etc?

Thank You for Your help !!!

All the grades are A now. Thanks again !!!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.