A client called: "the site has the padlock, we're done with SSL, right?" Pulled up the Cloudflare panel — Flexible mode. The padlock was real. The encryption wasn't.
This catches more sites than it should, and the fix is straightforward once you see what's happening.
What Cloudflare's SSL modes actually mean
There are four, and only one is what most people think they have:
- Off — no HTTPS. Plain HTTP both ways. Nobody picks this on purpose anymore.
- Flexible — HTTPS between the visitor and Cloudflare. Plain HTTP between Cloudflare and your origin. The padlock is the browser's, but the second half of the trip is naked.
- Full — HTTPS both ways. Cloudflare doesn't check the origin's certificate, so a self-signed cert is fine. Encrypted, but not authenticated.
- Full (strict) — HTTPS both ways, and Cloudflare verifies the origin cert against a real CA. This is the one you want.
Flexible is dangerous because the browser shows the same lock as Full Strict. The site feels secure to the user, to the developer, to whatever scanner pings it from outside. But the traffic between Cloudflare and the origin server is plaintext.
The threat model people miss
"Plain HTTP between Cloudflare and origin — so what, that's a private link?"
It isn't. The path from Cloudflare to your origin crosses public internet. Any network in between — a transit provider, a hosting peer, an exit on a managed VPN, a misconfigured router — can read it. Session cookies, login posts, form data, anything not separately encrypted. You spent the budget on Cloudflare to protect the wire, and the back half of the wire is still wide open.
This is the part the padlock can't tell you about. The browser only sees its own leg of the connection. Cloudflare's leg to your box is invisible to the user, and that's exactly where the leak is.
The fix
Move to Full (strict). This is two steps.
1. Put a real cert on your origin.
If you control the server and run nginx/Apache, the easy answer is Let's Encrypt with certbot — free, 90-day renewal, automated. It's a 10-minute install on most stacks.
If you can't reach the origin from the public internet (it's locked to Cloudflare's IPs, or behind a firewall that won't let Let's Encrypt's HTTP-01 challenge through), use Cloudflare's Origin CA. It's a separate cert authority Cloudflare runs specifically to issue long-lived (up to 15-year) certs that only Cloudflare itself trusts. Generate one in the Cloudflare dashboard, install on your origin, done.
2. Switch the SSL/TLS mode in Cloudflare to Full (strict).
Cloudflare dashboard → SSL/TLS → Overview. Flip from Flexible to Full Strict.
There's an "Always Use HTTPS" toggle nearby — turn it on too. Without it, an attacker can downgrade the first request, the user clicks a plain http:// link, and the connection rides plaintext until Cloudflare upgrades it. Force HTTPS at the edge.
Watch out for the redirect loop
A mistake I see: site is on Flexible, the origin redirects HTTP→HTTPS at the app level (WordPress with the siteurl set to https://, for example). Cloudflare hits the origin on HTTP, the origin sends back a 301 to https://, Cloudflare follows it back to itself, and you get an infinite loop.
Symptom: page never loads, browser eventually shows "too many redirects."
Fix: don't redirect at the origin when you're on Flexible. Or, better, fix the actual problem — move to Full Strict and let the origin always speak HTTPS.
How to check what you have right now
In the Cloudflare dashboard:
- SSL/TLS → Overview shows the current mode in plain words.
- SSL/TLS → Edge Certificates shows the cert Cloudflare presents to visitors.
- Edge → Origin Server → look at the cert source — that's the one to check is real.
From outside, you can also hit your origin's IP directly with curl --resolve to confirm it serves HTTPS:
curl -I --resolve yourdomain.com:443:<origin_ip> https://yourdomain.com/
If that errors with "SSL certificate problem" or "connection refused on 443," your origin isn't speaking HTTPS at all — Flexible was hiding that.
The padlock is a useful signal but it doesn't tell the whole story. Flexible SSL exists for a reason — early days, lots of origins didn't have certs — but it's a 2014 compromise and shouldn't be running anywhere in 2026. If you're holding client sites behind Cloudflare, audit the SSL mode on each one. It's a five-second check that catches a real problem.
I do this kind of edge-hardening for agencies running multiple client sites on Cloudflare — if your SSL setup hasn't been looked at in a while, happy to take a look.
Top comments (0)