Why is 94% of my traffic not secure?

Hi all,

I’ve recently setup my domain and various endpoints behind Cloudflare.

For some reason, only 5-6% of requests are served over TLS.

The following settings are defined for my domain under SSL/TLS.

  • Always Use HTTPS: On
  • HTTP Strict Transport Security (HSTS): On
  • Minimum TLS Version: TLS 1.2
  • Opportunistic Encryption: On
  • TLS 1.3: On
  • Automatic HTTPS Rewrites: On

Given all of that configuration my understanding is that all traffic should be over TLS (1.2+) except the initial HTTP request that may be redirected.

Some pointers on why this may be happening would be appreciated. Thanks in advance.

In addition to actually securing your site with Full (Strict), I suspect that stat is due to a high number of bots calling your site with http. Cloudflare will send a 301 redirect to HTTPS, but dumb bots won’t follow that redirect.

Thanks for the replies.

Currently the origin certificates are not signed by a trusted CA. They will be in the near future and I will then change to Full (strict).

The bot theory makes sense and isn’t something I’d considered. Currently the site isn’t used my many actual users. I’ll see if the stats improve once genuine traffic picks up.

1 Like