SSL Full (Strict)
Learning Focus
By the end of this lesson you will understand what Full (Strict) SSL mode requires and why it is the recommended production setting.
What Full (Strict) Means
In Full (Strict) mode, Cloudflare encrypts traffic both from the browser to Cloudflare and from Cloudflare to your origin server. Additionally, Cloudflare validates the origin certificate — it must be from a trusted CA or Cloudflare's own Origin CA.
SSL Mode Comparison
| Mode | Browser ↔ Cloudflare | Cloudflare ↔ Origin | Cert Validated? |
|---|---|---|---|
| Off | HTTP | HTTP | No |
| Flexible | HTTPS | HTTP | No |
| Full | HTTPS | HTTPS | No (self-signed OK) |
| Full (Strict) | HTTPS | HTTPS | ✅ Yes |
What You Need for Full (Strict)
- SSL Listener on port 443 in OpenLiteSpeed
- A valid certificate from one of:
- Cloudflare Origin CA (easiest — trusted only by Cloudflare)
- Let's Encrypt (trusted everywhere)
- Any publicly trusted CA
- The certificate must cover your domain name
- The certificate must not be expired
warning
Using Flexible mode is a common mistake. It means traffic between Cloudflare and your server is unencrypted — anyone on your network can read it.
Key Takeaways
- Full (Strict) is the recommended production mode — both legs are encrypted and validated.
- You need a valid certificate on your origin server — self-signed will not work.
- Cloudflare Origin CA certificates are the simplest option for Full (Strict).
What's Next
- See the complete Cloudflare SSL Full (Strict) Setup guide for step-by-step installation.