Suggest Installing Cloudflare Plugin Before Allowing to use Flexible

I have been there for few days, what I noticed many people use Cloudflare for the sake of obtaining free SSL certificate. They think it’s easy one click and done. Things are never always like that.

Someone coming from non-technical background would be left with frustrating feeling and feeling of trap after changing nameservers and getting site down. This experience can be fixed.

Here is how -

When Cloudflare do not detect any SSL at a WordPress site origin server it keep Flexible by default, that’s ok…but why not suggest at the same time keeping Cloudflare plugin to do the job it is suppose to do

if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
	$_SERVER['HTTPS'] = 'on';
}

For that you need to figure out if someone is using WordPress? Send them direct helpful instruction on how to install plugin…

or… insist for Cloudflare Origin SSL. This will greatly reduce queries like redirct loop, SSl error, etc.
Onboarding need to improve…

Thanks

Coming to Cloudflare just for SSL is a terrible idea. If it’s just SSL they want, they should get it from their host. If they want to invest time into the SSL venture because their host does not support free SSL, then put that effort into switching hosts.

Flexible SSL is a bad option for people looking for a quick fix. It’s for those who have a legacy system that cannot support SSL and is a drastic last resort for people who know the implication of what they’re requesting.

If SSL is important, do it right from the start. Don’t band-aid a fake security fix over a poorly built system. That’s not how security works. Making it easier for people to implement false security is a step in the wrong direction.

4 Likes

Ok… Not flexible hack, but at least we can insist for Cloudflare origin SSL when not detected with common names matching

The whole Flexible issue is one big problem and Cloudflare should have never introduced this for marketing purposes in the first place. It does not really contribute to making the Internet more secure but only adds a deceiving layer of apparent security and it also is the source of quite a few issues and thread on this forum (e.g. redirect loop).

This has been addressed quite a few times but Cloudflare does not seem to want to fix that. There’s even a product request to make this at least more transparent (so that users can know if there data is actually transmitted without encryption) at Header indicating encryption status of the origin connection, unfortunately also without any reaction from Cloudflare.

As @sdayman said, the only fix is to enforce proper encryption. Cloudflare would need to address that but they don’t want to.

3 Likes

This topic was automatically closed after 14 days. New replies are no longer allowed.