This comes up here all the time. An unfortunately large proportion of Cloudflare’s users set their SSL mode (crypto tab) to Flexible and presume it makes their site secure.
There are unfortunately a lot of tutorials and instructions out there that say something along the lines of ‘just set it to flexible and everything will work’. They should explain fully the implications of this.
I get asked quite a lot why people shouldn’t use flexible. Here is the answer!
The connection between your visitor and Cloudflare is secured, but the connection between Cloudflare and your server is not. You will not need a certificate on your server for this mode. This option is NOT RECOMMENDED.
Flexible makes your site partially secure - it encrypts the connection between the visitor and Cloudflare - this means they see the in their browser and makes them think it is fully secure. It is not! The connection between Cloudflare and your origin server is unencrypted and traffic can be intercepted there.
What to do about it:
You should install an SSL certificate on your server and set the SSL mode to Full or Full (strict). This fully encrypts the traffic between both the user and Cloudflare and between Cloudflare and your server.
You can use a free Let’s Encrypt certificate, generate a free Cloudflare origin certificate (crypto tab) or use a paid certificate.
This is needed to make your site fully secure and is essential if you process any user submitted (e.g. logins) or personalised data through your site.
This is a Community Tutorial, most are wiki posts, so can be contributed to by Regulars and MVPs here, you can view all the community tutorials here. If there is a tutorial you would like to see, you can request one here.
Other great resources on this community include the Community Tips . These address best practices when configuring Cloudflare, how to fix issues you may see, and tools to troubleshoot. Also you can view Expert Tips, great posts on the community that can help users with a similar issue.
We encourage users to check out these great resources and the Cloudflare Support Centre before posting