Why flexible SSL mode is not the best choice

Flexible

The connection between your visitor and Cloudflare is secured, but the connection between Cloudflare and your server is not. You will not need a certificate on your server for this mode. This option is NOT RECOMMENDED.

Flexible makes your site partially secure - it encrypts the connection between the visitor and Cloudflare - this means they see the :ssl: in their browser and the site leaves the impression to be secure! However the connection between Cloudflare and your origin server is unencrypted and traffic can be intercepted there.

Even if you wish to pursue an insecure connection, Flexible SSL causes other problems for sites configured for HTTP at the host such as Mixed Content errors, Redirect Loops, or the site stops working completely.


What to do about it:

Ideally, you should install an SSL certificate on your server and set the SSL mode to “Full (strict)” (recommended) or “Full”. This fully encrypts the traffic between both the user and Cloudflare and between Cloudflare and your server.

You can use a free Let’s Encrypt certificate, generate a free Cloudflare origin certificate (SSL/TLS app) or use a paid certificate.

This is needed to make your site fully secure and is essential if you process any user submitted (e.g. logins) or personalized data through your site.



This is a Community Tutorial, most are wiki posts, so can be contributed to by Regulars and MVPs here, you can view all the community tutorials here. If there is a tutorial you would like to see, you can request one here.

Other great resources on this community include the Community Tips . These address best practices when configuring Cloudflare, how to fix issues you may see, and tools to troubleshoot. Also you can view Expert Tips, great posts on the community that can help users with a similar issue.

We encourage users to check out these great resources and the Cloudflare Support Centre before posting

13 Likes
Full SSL x Flexible with HSTS enabled
SSL - Not secure
About DNS Records
My website is unreachable
SSL Expiration
Google Recaptcha showing up on all our pages
SSL/TLS Flexible and Full setting not working
Can't acess my website from my network
Flexible SSL Not working. Port issue?
SSL Certificate Active (Flexible) Not Working
SSL flexible active but not secure https
My .app domains won't display CSS, forces basic HTML. What's happening?
Site Cannot Complete SSL Connection
Transferring website from hosting service to home webserver
Need help regarding ssl for subdomain
My CloudFlare domain currently uses port 443 into my network and I want to use port 80
What is an SSL certificate?
Godaddy website goes down constantly with Cloudflare SSL
SSL from FLEXIBLE to FULL will point to wrong website?
Https is crossed
Can not access wordpress dashboard
Unavailable domains after changing DNS
Changing Server & new IPs
504 Timeout Error
Site isn't working after pointing nameservers to Cloudflare trying to add SSL
#URGENT: Unauthorized Redirect (To The Same Website // 3 Separate Accounts) Help
Cloudflare cdn on alternate file domain breaks the styling of the page on phabricator
SSL flexible active but not secure https
SSL configuration problem
522 error - trying to host on android phone termux nginx mobile connection with ipv6
Community Tutorials
Error 552 while trying to access HTTPS website
Always Use SSL Missing
The certificate uploaded is NOT for the domain name ipllivescore.live ( CloudFlare Origin Certificate was seen )
Switched to Cloudflare, now root domain name and subdomain do not work
Website looking like raw HTML
Pro Licence subscription details
Please ensure you are providing the root domain and not any subdomains (e.g., example.com, not subdomain.example.com)
Redirection loop : wrong SSL config?
Problem with mixed-content after updating links to https
SSL keeps disconneting
Why doesn't java detect https on my cloudflare url?
Error 521 GoDaddy and Cloudflare
I have added a website in the Pro account and changed Name-servers but no SSL
Detecting non-strict SSL setups
Help Please: Connection to site not secure message
Does Flexible SSL cover sub-domains
Can SSL/TLS encryption mode is Full (strict) lead to performance issues?
Flexible mixing HTTP and HTTPS web servers
Moved Nameserver to Cloudflare - Images not loading
Problem connecting 000webhost Freenom Cloudflare
Point CNAME to Static website on S3 is not working
Subdomain "Page Not Found"
Subdomain "Page Not Found"
Your connection is not private on My Website
Cant access my website after installing free SSL from your website
SSL vs Page Rule SSL
Using Let’s Encrypt SSL, got message from hosting cant extend SSL
SSL/TLS app Settings
Website SSL Not Working
Cloudflare not forwarding all http requests to https
Website doesn't open with WWW
Site not showing secure yet
I'm confused about nginx setup file-to edit or not to edit
Best method/configuration for a HTTPS website?
Though Universal SSL is active it is not showing the HTTPS
"Invalid SSl Certificate"
Https from Cloudflare, http from S3?
I cannot access my wordpress admin after activating cloudflare
SSL Not Work on my website
ERR_TOO_MANY_REDIRECTS & Subdomain SSL Error
Configuration for SSL between a domain with it's own origin cert and another without
It is showing error 525 ssl handshaked failed
Why doesn't Flexible SSL mode check origin for certificate first?
525 error - called Godaddy and was told the issue is with Cloudflare
SSL Error Pitchmagic to Google Domains to Cloudflare
Please help! My site velocube.ru dont worked
Step 2: Setting up SSL with Cloudflare
Why my site is not live with cloudflare?
SSL Active but still "Not Secure"
HTTPS not working on Subdomain
Community Video Tutorials
404 error after changing DNS
SSL is active but site is insecure
Subdomain works, but I have no access to Wordpress Admin
My website is not secure yet?
Missing certificate
Is Https: automatically switched On?
My Site Down After Change Host IP
Clouflare serves the incorrect certificate
A record changed, but not propagating
Getting SSL Errors after a while when setting up cloudflare with 000webhos
I can't change from full to flexible SSL
Connection to this is not secure?
Error 520 a day after adding SSL Certificate
Urgent! Please Help
301 Redirect - ERR_TOO_MANY_REDIRECTS
SSL and pics on www
Website is not working powercraftmcs.nl
Is cloudflare free SSL have security Issue?
Is cloudflare free SSL have security Issue?
Can't open my website without VPN
Let's Encrypt SSL cannot renew with Cloudflare
DNS record seem to not being propagated properly
Serving large downloads via ssl / https
Can't edit or create Wordpress post while proxied by Cloudflare
CNAME SSL Problems
Mixed SSL mode: Full AND Flexible (for different subdomains)
Error too many redirect
SSL ISSUE Activation
Flexible SSL working for 4 out of 5 domains
Strange double IP situation
522 on insecure setup
Heroku Bad Request Server 400 Error
My webiste not working on mobile data
SSL(flexible) blocking certain content
Setting up a SSL/TLS encryption mode for each subdomain
Whenever i start 'Always Use HTTPS' on cloudflare my website down
Can't connect to the server
Site not secure SSL flexible
Fails to log in to WordPress
"Your site could not complete a Loopback Request" Error
After Change http to https website dashboard not opening
All the image post links on my wordpress site are broken once my flexible SSL certificate has been confirmed
NET::ERR_CERT_COMMON_NAME_INVALID - site still not secure
Changing DNS records for flexible ssl
Zonelockdown, AWS SGs, flexible SSL - remote_addr question
No SSL for my Site
Certificate still showing self signed
Ssl not working on my domain?
Got HTPPS for a couple of weeks then it changes to HTTP
Cloudflare SSL Settings only for Subdomain
Https version of domain not working
No puedo entrar a editar mi pagina
Unable to login with Wordpress
Flexible SSL for specific sub-domain
Multiple subdomains, how to choose which gets SSL
Error 403 on just set up site
Ssl is not working with
Cloud Flare SSL not working for my wordpress site
My wordpress website dont run using Cloudfare SSL
Godaddy Domain Namechap Hosting Cloudflare SSL
Bug (?) with "Always Use HTTPS" and urls not ending in "/"
Http:// redirects to https:// then https:www
SSL https issue
Cannot Access Wp-Admin After Cloudflare Active
Error 522 with GoDaddy
My website not working
Can't access website after enable SSL certificate flexible
ERR_SSL_PROTOCOL_ERROR showing
Your connection isn't private
Too Many Redirects Errors with a Specific Data Center
Website is down after installing CloudFlare SSL
Not fully secure
SSL is Active but website is not secure, please help!
Account active but ssl not working
I need http and https both working
Working IP from AWS EC2 not working through cloudflare (basic setup)
Java script not working
SSL showing not secure https://www.eliothealthcare.com/
404 error when Diag
Site Not Loading After Changing Nameservers
Load more poste button it doesn't load
Some pages are showing that it is "Not Secured"
Ports for ssl/tls flexible mode
SSL handshake 525 error
No activation of Flexible SSL Certificate
SSL www vs promax .me
How can I resolve a 525 error for my glide app on a subdomain of my website?
My A record may be using the wrong IP address
Cloudflare Active & WP Plugin but No PadLock
Configuring Cloudflare with surge.sh hosting
SSl Redirect Issues: ERR_TOO_MANY_REDIRECTS
Redirecting http to https
WordPress login issues
Will upload html files but won't upload image files
Mailed stopped working
I setup into cludflare and my contact form stop working
My ssl is not working. It's set to flexible but not working
Getting error as this page isnt working
My website not working now why?!?!?
When will cloudflare charges
Error 526 SSL Invalid changing the encryption mode from Flexible to Full (Strict)
Custom Domain Cloudflare
SSL certificate not coming through for CNAME custom third party app domain
Cloudflare website is unavailable
Your site could not complete a Loopback Request
SSL Encryption Mode: Error 522 on subdomains or ERR_TOO_MANY_REDIRECTS on main domain
#URGENT: Unauthorized Redirect (To The Same Website // 3 Separate Accounts) Help
Google Recaptcha showing up on all our pages