Why flexible SSL mode is not the best choice

Flexible

The connection between your visitor and Cloudflare is secured, but the connection between Cloudflare and your server is not. You will not need a certificate on your server for this mode. This option is NOT RECOMMENDED.

Flexible makes your site partially secure - it encrypts the connection between the visitor and Cloudflare - this means they see the :ssl: in their browser and the site leaves the impression to be secure! However the connection between Cloudflare and your origin server is unencrypted and traffic can be intercepted there.


What to do about it:

Ideally, you should install an SSL certificate on your server and set the SSL mode to “Full (strict)” (recommended) or “Full”. This fully encrypts the traffic between both the user and Cloudflare and between Cloudflare and your server.

You can use a free Let’s Encrypt certificate, generate a free Cloudflare origin certificate (SSL/TLS app) or use a paid certificate.

This is needed to make your site fully secure and is essential if you process any user submitted (e.g. logins) or personalized data through your site.



This is a Community Tutorial, most are wiki posts, so can be contributed to by Regulars and MVPs here, you can view all the community tutorials here. If there is a tutorial you would like to see, you can request one here.

Other great resources on this community include the Community Tips . These address best practices when configuring Cloudflare, how to fix issues you may see, and tools to troubleshoot. Also you can view Expert Tips, great posts on the community that can help users with a similar issue.

We encourage users to check out these great resources and the Cloudflare Support Centre before posting

7 Likes
About DNS Records
SSL - Not secure
SSL Expiration
My website is unreachable
Full SSL x Flexible with HSTS enabled
SSL vs Page Rule SSL
Cant access my website after installing free SSL from your website
Your connection is not private on My Website
Subdomain "Page Not Found"
Subdomain "Page Not Found"
Problem connecting 000webhost Freenom Cloudflare
I have added a website in the Pro account and changed Name-servers but no SSL
Redirection loop : wrong SSL config?
Pro Licence subscription details
Always Use SSL Missing
Error 552 while trying to access HTTPS website
SSL configuration problem
SSL flexible active but not secure https
Cloudflare cdn on alternate file domain breaks the styling of the page on phabricator
#URGENT: Unauthorized Redirect (To The Same Website // 3 Separate Accounts) Help
Site isn't working after pointing nameservers to Cloudflare trying to add SSL
Flexible SSL Not working. Port issue?
SSL Encryption Mode: Error 522 on subdomains or ERR_TOO_MANY_REDIRECTS on main domain
When will cloudflare charges
My ssl is not working. It's set to flexible but not working
Community Video Tutorials
HTTPS not working on Subdomain
SSL Active but still "Not Secure"
Step 2: Setting up SSL with Cloudflare
525 error - called Godaddy and was told the issue is with Cloudflare
Configuration for SSL between a domain with it's own origin cert and another without
Using Let’s Encrypt SSL, got message from hosting cant extend SSL
SSL/TLS app Settings
Why doesn't java detect https on my cloudflare url?
Problem with mixed-content after updating links to https
Community Tutorials
Getting error as this page isnt working
It is showing error 525 ssl handshaked failed
ERR_TOO_MANY_REDIRECTS & Subdomain SSL Error
SSL Not Work on my website
I cannot access my wordpress admin after activating cloudflare
Https from Cloudflare, http from S3?
Does Flexible SSL cover sub-domains
Help Please: Connection to site not secure message
Detecting non-strict SSL setups
Error 521 GoDaddy and Cloudflare
SSL keeps disconneting
Changing Server & new IPs
Can not access wordpress dashboard
Https is crossed
Godaddy website goes down constantly with Cloudflare SSL
My .app domains won't display CSS, forces basic HTML. What's happening?
SSL flexible active but not secure https
SSL Certificate Active (Flexible) Not Working
Can't acess my website from my network
Google Recaptcha showing up on all our pages
Google Recaptcha showing up on all our pages
Subdomain works, but I have no access to Wordpress Admin
#URGENT: Unauthorized Redirect (To The Same Website // 3 Separate Accounts) Help
SSL is active but site is insecure
SSL Error Pitchmagic to Google Domains to Cloudflare
Please help! My site velocube.ru dont worked
"Invalid SSl Certificate"
Though Universal SSL is active it is not showing the HTTPS
Best method/configuration for a HTTPS website?
I'm confused about nginx setup file-to edit or not to edit
Site not showing secure yet
Community Tip - Security FAQ Read Me First
Website doesn't open with WWW
Cloudflare not forwarding all http requests to https
Website SSL Not Working