𝗧𝗵𝗲 𝗠𝗶𝘀𝗰𝗼𝗻𝗰𝗲𝗽𝘁𝗶𝗼𝗻 𝗔𝗯𝗼𝘂𝘁 𝗛𝗧𝗧𝗣𝗦 You think your site has HTTPS. It probably doesn't. I was in a workshop with a customer's CTO and his team. They had spent a month tightening their stack, ticking off security items one by one. But when I asked if encryption was in place, they said yes, they were on HTTPS through Cloudflare.
- They had enabled Cloudflare's free SSL by keeping the proxy on.
- But what they had configured wasn't end-to-end encryption. It was something much weaker.
When you put Cloudflare in front of your website, two distinct network connections come into existence:
- Visitor → Cloudflare
- Cloudflare → Origin
The padlock you see in the browser bar reflects only the first connection. It tells the user nothing about what happens between Cloudflare and your origin server.
Cloudflare offers five SSL/TLS settings:
- Automatic
- Off
- Flexible
- Full
- Full (Strict)
Most teams pick Flexible or Full when they think they are on Full (Strict). They click the orange cloud, see the padlock, ship, and move on.
To get to Full (Strict), you need to:
- Generate an origin certificate
- Install the certificate on your origin server
- Switch the Cloudflare SSL/TLS mode to Full (Strict)
- Verify with curl
If you don't know which mode you're in, you're probably not on Full (Strict). The padlock in the browser is not a guarantee of end-to-end encryption. It is a guarantee that the browser is talking to something over TLS. Source: https://dev.to/daanial/your-customer-thinks-their-site-has-https-it-probably-doesnt-4j73