Security · 1h ago
Cloudflare Flexible SSL leaves origin traffic exposed
Cloudflare's Flexible SSL mode encrypts traffic between visitors and Cloudflare but leaves the connection between Cloudflare and the origin server unencrypted. This means session cookies, login data, and other sensitive information can be intercepted over the public internet. The fix is to switch to Full (strict) mode and install a valid certificate on the origin server.
Meridian48 take
The article correctly highlights a common misconfiguration, but the risk is often overstated for sites behind Cloudflare's private network; still, Full Strict is the right default.
cloudflaressl-tls