SSL pinning

Hi there,

We’re researching if CF has a seamless solution for SSL pinning.

SSL strict feature doesn’t seem to be offering the same level of protection from MITM attacks, judging by the blog post and comments. Is that correct? What would be recommended technical set up that would offer this security level without interruptions to our operations when certificate is changed on CF end?


There is no such feature at the moment. Full strict is the most secure solution you currently can get on Cloudflare. Though MITM attacks should be actually pretty tricky in this context as you’d need to have a publicly trusted certificate for your domain.

1 Like

Note that HPKP is on its way out, so currently there is no way to key pin on browsers.

What you should do, however, is make sure you’re taking advantage of CAA records. Certificate Authorities have to check if they are authorized to issue certificates for a domain via these records before they issue a certificate. If you want to make sure only your authorized Certificate Authority can issue TLS certificates, make sure their CAA record is on your domain. If you use Universal SSL, the required records are in the below help article.


Also, it’s worth mentioning this blog post which just came out:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.