Skip to content

Strict (SSL-Only Origin Pull)

When you set your encryption mode to Strict (SSL-Only Origin Pull), connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.

The certificate presented by the origin will be validated the same as with Full (strict) mode.

flowchart LR
    accTitle: Strict (SSL-Only Origin Pull) SSL/TLS Encryption
    accDescr: With an encryption mode of Strict (SSL-Only Origin Pull), all connections to the origin will always be made using SSL/TLS.
    A[Browser] <--Encrypted--> B((Cloudflare))<--Encrypted--> C[("Origin server (verified) #9989;")]

Use when

You want the most secure configuration available for your origin, you are an Enterprise customer, and you meet the requirements for Full (strict) mode.

Required setup

The setup is generally the same as Full (strict) mode, but you select Strict (SSL-Only Origin Pull) for your encryption mode.

Process

To change your encryption mode in the dashboard:

  1. Log in to the Cloudflare dashboard and select your account and domain.
  2. Go to SSL/TLS.
  3. Choose an encryption mode.

Limitations

Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.