SSL Flexible Mode

Learning Focus

By the end of this lesson you will understand what Flexible SSL mode does, why it is insecure, and why you should avoid it.

What Flexible Mode Means

In Flexible mode, Cloudflare encrypts the connection between the browser and Cloudflare (HTTPS), but the connection from Cloudflare to your origin server is unencrypted (HTTP).

Why Flexible Is Dangerous

Traffic between Cloudflare and your server is in plain text
Anyone on the network path (hosting provider, ISP, data center) can read it
Login credentials, personal data, and API keys are exposed
Creates a false sense of security — visitors see HTTPS in the browser but the backend is insecure

When Flexible Is Acceptable

Almost never. The only scenario:

Your hosting does not support HTTPS at all (very unusual today)
Even then, it should be temporary while you set up proper certificates

warning

Flexible mode is NOT secure. It appears secure to visitors (browser shows HTTPS) but does not protect traffic between Cloudflare and your server. Move to Full (Strict) as soon as possible.

Key Takeaways

Flexible mode is insecure by design — origin traffic is unencrypted.
It creates a false sense of security for visitors.
Always use Full (Strict) in production.

What's Next

Continue to Full and Full (Strict) for secure alternatives.

What Flexible Mode Means​

Why Flexible Is Dangerous​

When Flexible Is Acceptable​

Key Takeaways​

What's Next​

What Flexible Mode Means

Why Flexible Is Dangerous

When Flexible Is Acceptable

Key Takeaways

What's Next