Is CloudFlare’s Flexible SSL less secure than Off?

Cloudflare presents three free SSL alternatives: Flexible SSL, Full SSL, and Full Strict SSL. The Full Strict SSL choice secures both the clients’ connections to Cloudflare and Cloudflare’s connection to the origin server with a Valid CA signed certificate.


The CloudFlare website’s “support” section features a guide discussing SSL options and their meanings.

According to the article’s writer, setting the SSL option to “OFF” is a better choice than opting for Flexible SSL.

While selecting the “Off” option is more secure than the option being discussed, opting for this less secure option may lead to trouble when you eventually switch away from it, as evidenced by the occurrence of an infinite redirect loop. So, it is advisable to choose a more secure option to avoid such issues.

I understand that when using Flexible SSL, there is no
secure connection
connection between CloudFlare and your web server. However, is this the sole reason why the author claimed it to be less secure than having SSL turned off? Or are there other factors that contribute to the increased risks and vulnerabilities associated with Flexible SSL when compared to having SSL turned off? Please note that I am solely comparing these two options.

  • OFF
  • Flexible SSL

Solution 1:

The security of Flexible may be compromised if individuals with malicious intent target the flexible connections (http) between known
cloudflare servers
and your web server. As SSL on the client side indicates the presence of sensitive information, such as private or financial data, attackers may invest their efforts in searching for insecure transfers between CF and your server.

Other than that supposition, I deem Flexible unreliable, risky, providing a deceitful sense of safety, or essentially deceiving their customers. The clients believe their link is protected, but in reality, it is not.

The availability of Flexible option from CF seems strange to me.

Solution 2:

Implementing SSL/TLS is significantly beneficial compared to having no security measures in place. With the FCC Privacy Requirements no longer in effect for ISPs, all websites across the internet must transition to HTTPS and HTTP should be completely prohibited. This is crucial as an attacker can now easily gain access to the browsing patterns of users accessing any website or web service. Even would greatly enhance its security by enforcing HTTPS usage.

Give thought to activating the HTTP-Strict Transport Security (HSTS) feature.

Frequently Asked Questions