Yet another pointless discussion about Flexible

SSL certificates have been available for free since Letsencrypt started in 2015.
But a lot of people don’t know about this, and hosting providers try to charge
hundreds of dollars per year for SSL certificates which should be free.
Don’t fall for it.

Cloudflare provide automatic SSL certs for all your domains which just work,
even on their Free plan.
This provides a SSL link between your users and Cloudflare.
If you host a static website without logins or private info, then this would be all you need.
If you have personal info on your servers, then use a free cert of a CF provided origin cert
to encrypt the connection between CF and your backend.

1 Like

Even earlier with StartCom in 2005.

This is wrong I am afraid. You always need a proper certificate on your server too.


With flexible mode you don’t need a SSL cert on your origin server.

Unless you want an insecure site you should never choose that. You should always pick Full Strict.

There are entire tutorials here on the forum on that topic. I’d invite you to check those out first.

1 Like

The option does exist for a reason, and is perfectly fine for public sites where users do not log in, and where there is no personal content. I help out with a number of sites which use this option
as they are hosted on providers which charge an unreasonable fee for SSL.
(Unreasonable in this context is any amount larger than zero).

As I already wrote, I’d recommend to check out aforementioned tutorials. This topic has been discussed a gazillion times and most certainly does not need another thread. Please use the search as well.

As mentioned, no, it is not perfectly fine and you should always choose Full Strict, otherwise your site will be insecure. Please do not mislead users.

1 Like

Totally agree with sandro comments.

Flexible SSL should be removed IMO, most that don’t know much fall into a false sense of safety when it is not. Not trying to pile on, but he speaks the truth.

1 Like

If you should “always choose Full Strict” .

then cloudflare would not have provided the option to select other encryption modes.

Please do not derail this topic. You were pointed towards the correct resources, so please use them.

1 Like

There are, as you say there are some good tutorials on encryption modes on CF.
e.g. Why flexible SSL mode is not the best choice

The tutorial ends with the advice
This is needed to make your site fully secure and is essential if you process any user submitted (e.g. logins) or personalized data through your site.

My emphasis.

So if your site does not process user submitted or personalised data, then flexible can be a reasonable
choice.

As I said, the option does exist for a reason.
Horses for courses.
Different people have different requirements when it comes to security.
And some have their hands tied by unreasonable policies imposed by hosting providers.

All the best…

As I mentioned, all of this has been addressed a gazillion times and can be found via the search. I am not sure why we are discussing this once again.

As this is off-topic to the OP’s original question, the discussion has been now moved to its own thread.

1 Like

Yeah but it’s a very bad idea!

You should use Full (Strict) instead of flexible!