Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Additional options

Once you set up SSL/TLS on your application, you can adjust the following settings in SSL/TLS > Edge Certificates:

  • Certificate Transparency Monitoring: Certificate Transparency (CT) Monitoring is an opt-in feature in public beta that aims at improving security by allowing you to double-check any SSL/TLS certificates issued for your domain.
  • HTTP Strict Transport Security (HSTS): HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
  • Certificate Signing Requests (CSRs): Generate a Certificate Signing Request (CSR) to get a custom certificate from the Certificate Authority (CA) of your choice while maintaining control of the private key on Cloudflare. The private key associated with the CSR will be generated by Cloudflare and will never leave our network.
  • TLS 1.3: TLS 1.3 enables the latest version of the TLS protocol (when supported) for improved security and performance.
  • Minimum TLS Version: Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer.
  • Automatic HTTPS Rewrites: Automatic HTTPS Rewrites prevents end users from seeing “mixed content” errors by rewriting URLs from http to https for resources or links on your web site that can be served with HTTPS.
  • Total TLS: Total TLS allows Cloudflare to issue individual certificates for your proxied hostnames. These certificates will protect proxied hostnames not covered by Universal certificates.
  • Always Use HTTPS: Always Use HTTPS redirects all your visitor requests from http to https, for all subdomains and hosts in your application.
  • Opportunistic Encryption: Opportunistic Encryption allows browsers to access HTTP URIs over an encrypted TLS channel. It’s not a substitute for HTTPS, but provides additional security for otherwise vulnerable requests.