Flexible

Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.

flowchart LR
    accTitle: Flexible SSL/TLS Encryption
    accDescr: With an encryption mode of Flexible, your application encrypts traffic between the visitor and Cloudflare, but not between Cloudflare and your server.
    A[Browser] <--Encrypted--> B((Cloudflare))<--Unencrypted--> C[(Origin server)]

Use when

Choose this option when you cannot set up an SSL certificate on your origin or your origin does not support SSL/TLS.

Required setup

Prerequisites

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.

To change your encryption mode in the dashboard:

Log in to the Cloudflare dashboard ↗ and select your account and domain.
Go to SSL/TLS.
Choose an encryption mode.

To adjust your encryption mode with the API, send a PATCH request with ssl as the setting name in the URI path, and the value parameter set to your desired setting (off, flexible, full, strict).

Limitations

Flexible mode is only supported for HTTPS connections on port 443 (default port). Other ports using HTTPS will fall back to Full mode.

If your application contains sensitive information (personalized data, user login), use Full or Full (Strict) modes instead.

Authenticated Origin Pull does not work when your SSL/TLS encryption mode is set to Off or Flexible.

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings