Cloudflare Free SSL/TLS

Encrypting as much web traffic as possible to prevent data theft and other tampering is a critical step toward building a safer, better Internet. We’re proud to be the first Internet performance and security company to offer SSL protection free of charge.

cloudflare security illustration

Advanced Configuration Options

Custom Certificates

Cloudflare automatically provisions SSL certificates that are shared by multiple customer domains. Business and Enterprise customers have the option to upload a custom, dedicated SSL certificate that will be presented to end users. This allows the use of extended validation (EV) and organization validated (OV) certificates.

Modern TLS Only

PCI 3.2 compliance requires either TLS 1.2 or 1.3, as there are known vulnerabilities in all earlier versions of TLS and SSL. Cloudflare provides a “Modern TLS Only” option that forces all HTTPS traffic from your website to be served over either TLS 1.2 or 1.3.

Opportunistic Encryption

Opportunistic Encryption provides HTTP-only domains that can't upgrade to HTTPS, due to mixed content or other legacy issues, the benefits of encryption and web optimization features only available using TLS without changing a single line of code.

TLS Client Auth

Cloudflare’s Mutual Auth (TLS Client Auth) creates a secure connection between a client, like an IoT device or a mobile app, and its origin. When a client attempts to establish a connection with its origin server, Cloudflare validates the device’s certificate to check it has authorized access to the endpoint. If the device has a valid client certificate, like having the correct key to enter a building, the device is able to establish a secure connection. If the device’s certificate is missing, expired, or invalid, the connection is revoked and Cloudflare returns a 403 error.

HSTS

Supporting the HTTP Strict Transport Security (HSTS) protocol is one of the easiest ways to better secure your website, API, or mobile application. HSTS is an extension to the HTTP protocol that forces clients to use secure connections for every request to your origin server. Cloudflare provides HSTS support with the click of a button.

Automatic HTTPS Rewrites

Automatic HTTPS Rewrites safely eliminates mixed content issues while enhancing performance and security by rewriting insecure URLs dynamically from known (secure) hosts to their secure counterpart. By enforcing a secure connection, Automatic HTTPS Rewrites enables you to take advantage of the latest security standards and web optimization features only available over HTTPS.

Encrypted Server Name Indicator (SNI)

Encrypted SNI replaces the plaintext “server_name” extension used in the ClientHello message during TLS negotiation with an “encrypted_server_name.” This capability expands on TLS 1.3, increasing the privacy of users by concealing the destination hostname from intermediaries between the visitor and website.

Geo Key Manager

Geo Key Manager provides the ability to choose which Cloudflare data centers have access to private keys in order to establish HTTPS connections. Cloudflare has preconfigured options to select from either US or EU data centers as well as the highest security data centers in the Cloudflare network. Data centers without access to private keys can still terminate TLS, but they will experience a slight initial delay when contacting the nearest Cloudflare data center storing the private key.

Working With TLS Vulnerabilities at Scale

Cloudflare engineers deal with billions of SSL requests on a daily basis, so when a new security vulnerability is discovered, we have to act fast. Many vulnerabilities don’t affect users due to our strict security standards, but we love explaining how encryption breaks.

Padding Oracles and the Decline of CBC Cipher Suites

In early 2016, we saw web client support for AEAD ciphers increase from under 50% to over 70% in only six months. Learn why cipher block chaining is no longer considered completely secure.

Logjam: the Latest TLS Vulnerability Explained

Cloudflare customers were never affected by the Logjam vulnerability, but we did create a detailed writeup explaining how it works.

Build Your Own Public Key Infrastructure

Cloudflare encrypts all traffic between its datacenters using its own internal certificate authority. We built our own open-source PKI toolkit to do it.

Roughtime Protocol Support

Helps the web be more secure by reducing TLS certificate errors using an authenticated timestamp service.

Technical Details

Minimum Supported Browser Versions for Cloudflare SSL Free Users:

Desktop Browsers

  • Firefox 2
  • Internet Explorer 7 on Windows Vista
  • Windows Vista or OS X 10.6 with:
    Chrome 5.0.342.0, Opera 14, Safari 4

Mobile Browsers

  • Mobile Safari on iOS 4.0
  • Android 4.0 (Ice Cream Sandwich)
  • Windows Phone 7

Note:

Operating systems, when specified above, are the minimum version required. If you need more compatibility with older browsers, such as Windows XP SP2 and Android <3.0, please use the SSL on our Pro, Business, or Enterprise plans. If you have further questions please see our FAQ.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare. Pick a plan that fits your needs.

Free

For personal websites, blogs, and anyone who wants to explore Cloudflare.

$0/month

Add-ons billed monthly

Pro

For professional websites, blogs, and portfolios requiring basic security and performance.

$20/month

Billed monthly

Business

For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

$200/month

Billed monthly

Enterprise

For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Contact Us

Billed annually

Trusted by millions of Internet properties

logo mars gray 32px wrapper
logo loreal gray 32px wrapper
logo doordash gray 32px wrapper
logo garmin gray 32px wrapper
logo ibm gray 32px wrapper
logo 23andme color 32px wrapper
logo shopify color 32px wrapper
logo lending tree color 32px wrapper
logo labcorp color 32px wrapper
logo ncr gray 32px wrapper
logo thomson reuters gray 32px wrapper
logo zendesk gray 32px wrapper