Home Forums Random SSL/TLS Setting Recommendation


Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #16822

    I've received several of these emails from CloudFlare over the past couple of days:

    Your SSL/TLS Setting Recommendation

    Thanks for enabling SSL/TLS Recommender in the dashboard. You’re receiving this email because our security service observed the SSL/TLS mode for xxxxxxxxxx.xxx is Full but would benefit from the additional security provided by Strict.

    They have all been for the only non-WP sites that I host (just HTML sites).
    Is there a reason that these HTML sites would benefit from this additional security?
    If so, why, and is it really a better option?
    These also happen to be my busiest sites, with several thousand visitors weekly. (It's a local motorsports racing organization with a site for each of their various divisions. Each site has latest results, points standings, upcoming events, weather cancellations, etc.)


    I'm pretty sure this is simply an "upsell" attempt. The term "FULL" over within Cloudflare's SSL modes doesn't mean 'beyond capacity', but an identifying method of the different modes (Flexible / Full / Strict / Off). And each of those dictates how Cloudflare treats incoming URL requests (ie turning HTTP into HTTPS or rejecting anything not HTTPS or a variation.

    The push to go "Strict" is a way for them to sell you a standalone SSL certificate.

    Now... its also possible (small chance) that your previous SSL certificate has expired and the "Full" SSL Mode actually doesn't verify if the used certificate is valid or expired.


    I'm using security certificate through Server Pilot.


    1) Off: No encryption applied
    2) Flexible: Encrypts traffic between the browser and Cloudflare
    3) Full: Encrypts end-to-end, using a self signed certificate on the server
    4) Full (strict): Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server

    Full vs Strict has to do with what type of certificate you have on your server. If it's not self signed, and an actual CA issued certificate, then you can use strict. Either way, the important thing is to have an actual CA certificate on your site (i.e. via Let's Encrypt), which it sounds like you do. After that, shouldn't really matter Full or Strict at Cloudflare.

    If it is an upsell attempt, I've never seen it as being in your face about it.

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.