Why you should choose Full Strict, and only Full Strict

Unencrypted & unverified connections

Imagine you open Paypal and suddenly get that warning

image

Would you continue? Probably not. For decades leaders in IT security have advocated that people upgrade their sites from unencrypted HTTP to secure HTTPS. And for a reason, everything you send via an HTTP connection is sent in plain text and can be intercepted at any point between you and the server.

Equally, you’d probably not proceed if you got such a warning, right?

That’s when there is a certificate but it has not been signed by a certificate authority which is trusted by your browser. It essentially means the connection is technically encrypted but without verification anyone could have provided that certificate and will be able to intercept your data.


Unfortunately, many site owners are not aware of that and these two setups are common on Cloudflare. Millions of sites on Cloudflare have one of those two insecure configurations and are essentially left with no security.

Why don’t you get more warnings, you ask? Because the Cloudflare proxies front these sites and feign a valid HTTPS connection to the visitors when, in the background, things are still being transmitted in mentioned insecure fashion.

In either case, third parties will be able to intercept, record, and manipulate these connections without you, Cloudflare, or your visitors having the slightest idea that an unauthorised third party is accessing your very private communication.

Full Strict

This is where the encryption modes from https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls come in

Make sure you have “Full Strict” selected here. Only when you have that mode selected you’ll have a guarantee that Cloudflare will verify the connection and will not allow third parties to take over your data. Anything else and it will be as if you had no certificate or one that can’t be verified (-> certificate warning) and will put your data and the data of your visitors at risk.

Origin certificate

This also brings us to the next step of securing your server, making sure you have a proper certificate on your server in the first place.

There are plenty of providers who will sell certificates and while these certificates are perfectly fine, you should know that there are quite a few free options these days as well. Check out letsencrypt.org for that, respectively Cloudflare also offers their own free certificates for installation on your server. More information is here and you can get one issued straight from your TLS screen.

Once you have the certificate and the private key you just need to install them on your server (please talk to your host or refer to the documentation of your web server for details on that) and you’ll be good to go and have a properly secured connection on Full Strict.

7 Likes
Constant 520 Errors on ASPX site
Websocket not proxied, client receives response code 200
Site Blank After Shifting Domain from One Cloudflare Acc to Other
Flexible SSL Not Activate
Has NZ fallen off Cloudflare's map?
Redundant vocational 521 error on wordpress website
Help me understand why the domain is not pointing to the A record setup
Site down with sudden 526 error, certificates appear valid
Site goes down, getting 504 error in Cloudflare
Kemp Load Balancer
2 IP addresses pointing to an A Record
Is that the correct way to use Cloudflare SSL
Mail.purevelvet.design reports "Certificate expired"
Coronavirus.lifeboat.com SSL said it has expired but my other subdomains are O.K
Fastly error: unknown domain. HTTP works but HTTPS doesn't
Website Error 520 Error Sometimes
Changing DNS status from proxied to not-proxied, and then changing it back
Original website link - https://quizier.in so why cdn links are created- https://cdn-1.quizier.in
SSL selection issue
Email DNS Issues
Firewall Rule Based on User Agent is Not Working
URL Error come forbidden 403
Fowarding Error
Site has been broken for over 20 hours, no response from support :(
Mandatory VM changes in Google Cloud. Result? = Web site fallen
Mandatory VM changes in Google Cloud. Result? = Web site fallen
Mandatory VM changes in Google Cloud. Result? = Web site fallen
Getting an SSL Certificate
Some images not load on https
SSL errors
Error 522 Ray ID: 683221baba4e9704
Cloudflare not update my domain
Higher latency ping from China Guangzhou City!help
Making sure Gmail works after setting up SSL with Cloudflare
My site i down because too many redirects
DNSSEC validation failure after domain transfer to Cloudflare
Redirect domain to other domain via page rules WITH UTM parameters
TeamSpeak 3 problems
Consistently getting error 520
Err-too-many-redirects
CloudFlare proxied websites don't work on Virgin Media but do on EE and some U.S providers
CF Badges - can they link to something better?
Have to purge cache on Cloudflare to login or signup
SSL certificate not working on subdomain
Cant see my site live
My connection is not Private. How to resolve this on my *.com website
I want to add port to my domain
Error 525 SSL handshake failed blogger
My proxied site too slow
Cloudflare Landing Page
DNS Type A , proxy status
Error 522 - packets
Cloudflare and klavyio 502 bad gateway error
Sqaurespace SSL cert issue
Cloudflare SSL certificate not in use but all features work?
Cloudflare SSL certificate not in use but all features work?
Unable to Stop Ddos attack . Please help
Universal SLL activated but got SSL certificate invalid
About the free SSL
Issues setting up CF Universal SSL
Issue with Fruition – Notion Website
Cloudflare SSL certificate not in use but all features work?
Free cloudflare SSL for my subdomains
My page does not show without www
I have an exclamation mark on my website padlock
ICANN Lookup Error
USA visitors can't access my site
Cloudflare's Origin Certificates are not valid certificates
Verify domain using DNS records
Cloudflare doesn´t redirect to non www
My page does not show without www
WWW: 404 when Proxied and works fine when DNS only
Sometimes a CF 520 error
My page does not show without www
Pending Nameserver Update (4+ days) .ch domain Godaddy
How to add multiple subdomain
520 and broken certificate
403 on gRPC connection?
SSL Verification is Pending
526 errors
NEWBIE help for subdomain not working
With DNSSEC Active, DNSChecker.org is showing a strange DNS record
Issue With Configuration?
Comcast + Cloudflare = ERR_SSL_PROTOCOL_ERROR?
Visual editor in wordpress is not showing when Cloudflare is enabled
CNAME not working?
My SSL still shows Sertico as issuer not Cloudflare
"Your connection is not private!"
Wrong Phishing Message By Cloudflare
Why flexible SSL mode is not the best choice
Some browsers appear to bypass CloudFlare causing SSL issues
Universal SLL activated but got SSL certificate invalid
Community Tutorials
Unable to properly configure my website
Are the settings correct?
Ads.txt not recognized after hosting here
Host error
Cloud flare SSL not connecting on wordpress
Cannot set up a custom CNAME for email
Worker works on workers.dev domain but not on own subdomain
DNS issue with Weebly and Cloudflare
IP exposed while pinging with site name
Error : 522 Connection timed out
Subdomains not working! (Godaddy site, cpanel hosting)
Proxy is not working
Cloudflare proxy
Firewall Rule not working for me
Could someone tell me why my site is not showing as secure please?
Issues with Error 521 on my site
DNS proxy proxied error
Cannot login to Wordpress dashboard after installing Cloudflare SSL
Problems with changing IP
Help with 520 Error
Error 520 problem for two minutes?
Intermittent Error 520, host says nothing in logs, Always Online off
520 errors related to Caching...?
Unknown connection issue between Cloudflare & origin
526 error for my worker
My website is down. Can you please help? AND PLEASE DON'T MARK IT AS SPAM. Thanks
SSL error with wordpress
Render unauthorizedly overwrote the DNS zones on Cloudflare
HTTPS resolving wrong website, HTTP is fine
Ssl cert ( Edge Certificates : initializing )
Error: DNS_PROBE_FINISHED_NXDOMAIN
Http2 and flexible SSL configuration
Error 525 SSL Handshake Error..However, cloudflare SSL is configurate in flexible
Follow-up question for Sandro and Donmj - Secure Server while on HubSpot Email marketing
Run 2 scheduled workers within 5 seconds of each other
Clear firewall cache
Edge certificate question
Ssl cert ( Edge Certificates : initializing )
How to fix issue "Error 525: SSL handshake failed"
Error 520 Message
SSL giving errors in other countries
Cloudflare settings when you first set it up
Redirecting non www to WWW
Istanbul cloudflare errors 525 but frankfurt doesn't
Unity bundles are not cached for me
Website goes down after changing nameserver to Cloudflare nameserver with 404 errors
Mobile versus desktop
Fixing Error 522 / Connection timed out
Status: Failed - HTTPS SSL Certificate failed to be processed
Error 525 and 1&1 SSL / Not Secure
Cloudflare SSL question
How to make a single page as http from https?
SSL handshake failed/Error 525
Initial set up and Error 525 - SSL Handshake failed
Export SSL Certificate
Website won't load
Ssl not working on 1% (website not secure)
My Wordpress Site throws 520 error
SSL Strict Mode Settings issue?
Page redirect from root to www not working
CNAME returns 404, not any request goes to our servers
Ticket# 2261584. Error message:System detection encountered issues
Ssl problem (win10+chrome)
520 Error – no error logs triggered
Root domain resolves, www subdomain causes 520 error
Adding CNAME for Google Sites
Ghost integration
Cloudflare All-time-classic: How to fix Error code: SSL_ERROR_NO_CYPHER_OVERLAP
I am receiving a 502 error page when I test my button on my facebook business page
SSL Issue Since the Let's Encrypt Expiry
Can't get Origin Server certificate to work with webmail or imap/pop3/smtp
VPS + Cloudflare + Cpanel email
Wrong web display
Universal SSL grayed out
520 and origin error, no hosting support
Error 520 problems - no solution since months
Proxy is not working
520 cloudflare error
I'm having 520 error I have contacted my hosting the problem is not from them
Is it safe to use this code with WordPress to get cloudflare SSL working
Improvmx.com not working with Cloudflare dns
Additional MX Records
(Get a Free Cloudflare T-Shirt) Question of the Week- Do you have a certificate on your origin server?
After cloudflare account info migration to another email - Company Emails not working now - Urgent need support please
Error : 522 Connection timed out
Getting an CIPHER_MISMATCH error
Cloudflare installed but not secure!
Https redirection error
Flexible SSL Option - access proxied as HTTPS?
I tried to configure my site on Cloudflare, but my domain said this: This site can’t be reached pujapandal.online server IP address could not be found. DNS_PROBE_FINISHED_NXDOMAIN
Random 520 errors
(Win a Cloudflare Shirt) Question of the Week- What Cloudflare product do you find most useful?
HTML files not cached, despite rule
Godaddy / Cloudflare 520 error (recent change)
Subdomain not working AWS EC2