Cloudflare's Flexible SSL leaves your origin traffic unencrypted despite padlock
Cloudflare's Flexible SSL mode encrypts traffic only between visitors and Cloudflare, leaving the connection between Cloudflare and the origin server as plain HTTP. This means sensitive data such as session cookies and login credentials can be exposed in transit, even though browsers display the standard security padlock. The issue is widespread because the padlock gives users, developers, and security scanners a false sense of complete encryption. The recommended fix is to switch to Full (Strict) mode, which requires installing a valid certificate on the origin server — either via Let's Encrypt or Cloudflare's own Origin CA. Enabling the 'Always Use HTTPS' toggle in the Cloudflare dashboard is also advised to prevent downgrade attacks on the initial request.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in