SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS AttacksStop Malicious Bot AbuseAccelerate Internet ApplicationsEnsure Application AvailabilityOptimize Web ExperiencesStream Videos On-Demand
Secure Employee Applications and Devices
Deliver Zero Trust Access to ApplicationsImplement Secure Access Service Edge (SASE)Protect Users Accessing the InternetProtect Corporate NetworksManage Secure Contractor AccessReplace Virtual Private Networks (VPNs)Secure Your Remote WorkforceStop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Mitigate L3 DDoS AttacksConnect network infrastructure with CloudflareTransform Corporate Networks
Code on the Network Edge
Build a Serverless ApplicationDeploy a Static WebsiteConfigure a CDNDefine Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS PlatformsEnable SSL for SaaS ApplicationsReduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerceFinancial ServicesGamingHealthcare and Life SciencesMedia and EntertainmentPublic SectorSaaSEducation
PUBLIC INTEREST
Election CampaignsAthenian ProjectProject GalileoProject Fair Shot
FOR INFRASTRUCTURE
Application & Network Security
DDoS ProtectionWAFBot ManagementMagic TransitMagic WANRate LimitingSSL / TLSSSL/TLS for SaaS ProvidersCloudflare SpectrumNetwork InterconnectCDNDNSArgo Smart RoutingLoad BalancingStream DeliveryChina NetworkWaiting Room
FOR TEAMS
Cloudflare for TeamsAccessGatewayBrowser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare WorkersCloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Cloudflare PagesCloudflare Stream
SaaS Developers
Cloudflare for SaaS
FOR EVERYONE
1.1.1.11.1.1.1 with WARP (App)1.1.1.1 for Families
INSIGHTS
AnalyticsCloudflare LogsWeb AnalyticsCloudflare Radar
PRIVACY
Data LocalizationCompliance
FOR INFRASTRUCTURE
Advanced Security
Bot ManagementFirewall rulesMagic TransitSpectrum (TCP/UDP)SSLWAFCDNDNSImage ResizingLoad BalancingStream (Video)
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick StartCloudflare PagesSample Workers ProjectsWorkers TutorialsCommand-line (Wrangler)Runtime
FOR TEAMS
Cloudflare for Teams
EXPLORE CLOUDFLARE API
Cloudflare APIAPI Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource HubWhitepapersWebinarsSolutions & Product GuidesCase StudiesAnalysts
EXPLORE
What's New?Network MapCloudflare in ChinaGDPR
GET STARTED
Register Your WebsiteWelcome CenterGet Help
LEARN
Learning CenterSecurityDDoSBot ManagementSSLIdentity and Access ManagementPerformanceCDNDNSCloudServerlessNetwork Layer
CONNECT
BlogCommunity
TRUST
Trust HubPrivacy & Data ProtectionCertificationsTrust & SafetyGDPRLegal Documentation
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner NetworkPartner Portal
TECHNOLOGY PARTNERS
OverviewAnalytics PartnersBandwidth AllianceEndpoint Security PartnershipsInterconnect PartnershipsNetwork On-ramp PartnershipsPeering Portal
PRICING BY PLAN
FreeProBusinessEnterprise
COMPARE AND EXPLORE
Need Help Choosing a Plan?Add OnsCompare All Plans

Cloudflare Free SSL/TLS

Encrypting as much web traffic as possible to prevent data theft and other tampering is a critical step toward building a safer, better Internet. We’re proud to be the first Internet performance and security company to offer SSL protection free of charge.

Sign Up
What is SSL?
SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This secure link ensures that all data transferred remains private. It’s also called TLS (Transport Layer Security). Millions of websites use SSL encryption everyday to secure connections and keep their customer’s data safe from monitoring and tampering

Why Use SSL?

Every website on the Internet should be served over HTTPS. Here’s why:
  • Performance: Modern SSL can actually improve page load times.
  • Search Ranking Boost: Search engines favor HTTPS websites.
  • Security: Encrypting traffic with SSL ensures nobody can snoop on your users’ data.
  • Trust: By displaying a green lock in the browser’s address bar, SSL increases visitor’s trust.
  • Regulatory Compliance: SSL is a key component in PCI compliance.
Easy SSL Configuration
Manually configuring SSL requires several steps, and a misconfiguration can prevent users from getting to your website. Cloudflare allows any Internet property to become HTTPS-enabled with the click of a button. You’ll never need to worry about SSL certificates expiring or staying up to date with the latest SSL vulnerabilities when you’re using Cloudflare SSL.

Manually Configuring SSL

Configuring SSL With Cloudflare

SSL Performance

HTTPS isn’t what it used to be. It’s faster, more secure, and used by more websites than ever before. SSL enables HTTP/2, which has the potential to make websites up to two times faster with no changes to existing codebases. Modern TLS also includes performance-oriented features like session resumption, OCSP stapling, and elliptic curve cryptography that uses smaller keys (resulting in a faster handshake). TLS 1.3 reduces latency even further and removes insecure features of TLS making HTTPS more secure and performant than any previous version of TLS and its non-secure counterpart, HTTP.

Cloudflare has even worked to improve the performance of OpenSSL. We implemented ChaCha20-Poly1305, a cipher suite that runs three times faster than AES-128-GCM on mobile devices. We care about performance.

Cloudflare SSL Configuration

Modes of Operation

Cloudflare SSL operates in different modes depending on the level of security required and the amount of configuration you’re willing to do. Traffic to the end user will always be encrypted, which means your website will always enjoy the benefits of HTTPS. However, traffic between Cloudflare and your origin server can be configured in a variety of ways.

Flexible SSL

Flexible SSL encrypts traffic from Cloudflare to end users of your website, but not from Cloudflare to your origin server. This is the easiest way to enable HTTPS because it doesn’t require installing an SSL certificate on your origin. While not as secure as the other options, Flexible SSL does protect your visitors from a large class of threats including public WiFi snooping and ad injection over HTTP.

Full SSL

Full SSL mode provides encryption from end users to Cloudflare and from Cloudflare to your origin server. This requires an SSL certificate on your origin server. In Full SSL mode, you have three options for certificates to install on your server: one issued by a Certificate Authority (Strict), one issued by Cloudflare (Origin CA), or a self signed certificate. It is recommended that you use a certificate obtained through Cloudflare Origin CA.

Origin CA

Origin CA uses a Cloudflare-issued SSL certificate instead of one issued by a Certificate Authority. This reduces much of the friction around configuring SSL on your origin server, while still securing traffic from your origin to Cloudflare. Instead of having your certificate signed by a CA, you can generate a signed certificate directly in the Cloudflare dashboard.
Advanced Configuration Options

Custom Certificates

Cloudflare automatically provisions SSL certificates that are shared by multiple customer domains. Business and Enterprise customers have the option to upload a custom, dedicated SSL certificate that will be presented to end users. This allows the use of extended validation (EV) and organization validated (OV) certificates.

Modern TLS Only

PCI 3.2 compliance requires either TLS 1.2 or 1.3, as there are known vulnerabilities in all earlier versions of TLS and SSL. Cloudflare provides a “Modern TLS Only” option that forces all HTTPS traffic from your website to be served over either TLS 1.2 or 1.3.

Opportunistic Encryption

Opportunistic Encryption provides HTTP-only domains that can't upgrade to HTTPS, due to mixed content or other legacy issues, the benefits of encryption and web optimization features only available using TLS without changing a single line of code.

TLS Client Auth

Cloudflare’s Mutual Auth (TLS Client Auth) creates a secure connection between a client, like an IoT device or a mobile app, and its origin. When a client attempts to establish a connection with its origin server, Cloudflare validates the device’s certificate to check it has authorized access to the endpoint. If the device has a valid client certificate, like having the correct key to enter a building, the device is able to establish a secure connection. If the device’s certificate is missing, expired, or invalid, the connection is revoked and Cloudflare returns a 403 error.

HSTS

Supporting the HTTP Strict Transport Security (HSTS) protocol is one of the easiest ways to better secure your website, API, or mobile application. HSTS is an extension to the HTTP protocol that forces clients to use secure connections for every request to your origin server. Cloudflare provides HSTS support with the click of a button.

Automatic HTTPS Rewrites

Automatic HTTPS Rewrites safely eliminates mixed content issues while enhancing performance and security by rewriting insecure URLs dynamically from known (secure) hosts to their secure counterpart. By enforcing a secure connection, Automatic HTTPS Rewrites enables you to take advantage of the latest security standards and web optimization features only available over HTTPS.

Encrypted Server Name Indicator (SNI)

Encrypted SNI replaces the plaintext “server_name” extension used in the ClientHello message during TLS negotiation with an “encrypted_server_name.” This capability expands on TLS 1.3, increasing the privacy of users by concealing the destination hostname from intermediaries between the visitor and website.

Geo Key Manager

Geo Key Manager provides the ability to choose which Cloudflare data centers have access to private keys in order to establish HTTPS connections. Cloudflare has preconfigured options to select from either US or EU data centers as well as the highest security data centers in the Cloudflare network. Data centers without access to private keys can still terminate TLS, but they will experience a slight initial delay when contacting the nearest Cloudflare data center storing the private key.
Dedicated SSL Certificates

Dedicated SSL Certificates provide high-level encryption and compatibility, along with lightning fast performance, served through our global content distribution network. With a few clicks within the Cloudflare dashboard, you can easily and quickly issue new certificates, securely generate private keys and more. Dedicated SSL Certificates are available for purchase on all Cloudflare pricing plans. Learn More >

Working With TLS Vulnerabilities at Scale

Padding Oracles and the Decline of CBC Cipher Suites

In early 2016, we saw web client support for AEAD ciphers increase from under 50% to over 70% in only six months. Learn why cipher block chaining is no longer considered completely secure.
Read More

Logjam: the Latest TLS Vulnerability Explained

Cloudflare customers were never affected by the Logjam vulnerability, but we did create a detailed writeup explaining how it works.
Read More

Build Your Own Public Key Infrastructure

Cloudflare encrypts all traffic between its datacenters using its own internal certificate authority. We built our own open-source PKI toolkit to do it.
Read More

Roughtime Protocol Support

Helps the web be more secure by reducing TLS certificate errors using an authenticated timestamp service.
Read More

Setting Up Cloudflare Is Easy



Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare. Pick a plan that fits your needs.

Free

For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

Pro

For professional websites, blogs, and portfolios requiring basic security and performance.

$20/month

per domain

Learn More

Business

For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

$200/month

per domain

Learn More

Enterprise

For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Contact Us

Learn More

Trusted by approximately 25 million Internet properties

Read some of our case studies

Technical Details

Desktop Browsers

  • Firefox 2
  • Internet Explorer 7 on Windows Vista
  • Windows Vista or OS X 10.6 with: -- Chrome 5.0.342.0 -- Opera 14 -- Safari 4

Mobile Browsers

  • Mobile Safari on iOS 4.0
  • Android 4.0 (Ice Cream Sandwich)
  • Windows Phone 7

Note:

Operating systems, when specified above, are the minimum version required. If you need more compatibility with older browsers, such as Windows XP SP2 and Android <3.0, please use the SSL on our Pro, Business, or Enterprise plans. If you have further questions please see our FAQ.

Sales

Getting Started

Community

Developers

Support

Company

© 2021 Cloudflare, Inc.Privacy PolicyTerms of UseDisclosureCookie PreferencesTrademark