Full (strict)
When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
flowchart LR
accTitle: Full - Strict SSL/TLS Encryption
accDescr: With an encryption mode of Full (strict), your application encrypts traffic going to and coming from Cloudflare.
A[Browser] <--Encrypted--> B((Cloudflare))<--Encrypted--> C[("Origin server (verified) #9989;")]
For the best security, choose Full (strict) mode whenever possible (unless you are an Enterprise customer).
Your origin needs to be able to support an SSL certificate that is:
- Unexpired, meaning the certificate presents
notBeforeDate < now() < notAfterDate. - Issued by a publicly trusted certificate authority ↗ or Cloudflare’s Origin CA.
- Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.
Before enabling Full (strict) mode, make sure your origin:
- Allows HTTPS connections on port
443. - Presents a certificate matching the requirements above.
Otherwise, your visitors may experience a 526 error.
To change your encryption mode in the dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to SSL/TLS.
- Choose an encryption mode.
To adjust your encryption mode with the API, send a PATCH request with ssl as the setting name in the URI path, and the value parameter set to your desired setting (off, flexible, full, strict, or origin_pull).
Depending on your origin configuration, you may have to adjust settings to avoid Mixed Content errors or redirect loops.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark