TLS encryption modes

Set the TLS mode by selecting one of the following options from the Mode list.

These options are listed in the order from the most secure to the least secure (Off):

1. Authenticated origin pull: (Enterprise only)
2. HTTPS only origin pull (Enterprise only)
3. End-to-end CA signed (default and recommended)
4. End-to-end flexible (edge to origin certificates can be self-signed)
5. Client-to-edge (edge to origin not encrypted, self-signed certificates are not supported)
6. Off (not recommended)

End-to-end CA signed

This mode is the default and recommended setup. A secure connection is set up between the visitor and CIS, and a secure and authenticated connection between CIS and your web server. Your server must be set up to handle HTTPS connections, with a valid TLS certificate. This certificate must be signed by a certificate authority (CA), have an expiration date in the future, and respond for the request domain name (hostname). It is recommended that you use this TLS mode for best security practices, unless you understand the potential security threats of changing to one of the less strict modes.

End-to-end flexible

In this mode, a secure connection is set up between your visitor and CIS, while a secure but non-authenticated connection between CIS and your web server. Your server must be set up to handle HTTPS connections, at a minimum with a self-signed certificate. However, the authenticity of this certificate is not verified. CIS connects to your origin web server when the address of your origin web server is correctly configured in your DNS settings. Use this mode if you can't obtain a certificate that is signed from a CA. Keep in mind that it is less secure compared to the end-to-end CA signed mode.

Client-to-edge

In this mode, a secure encrypted connection is set up between your visitor and CIS, and a non-secure unencrypted connection between CIS and your web server. You don't need to have a TLS certificate on your web server, but your visitors still see the site as being HTTPS-enabled. This option is not recommended if you have any sensitive information on your website. This mode works only for redirecting traffic from port 443 (HTTPS) to port 80 (HTTP) and must be used only as a last resort if you are not able to set up TLS on your own web server. It is less secure than any other option (even "Off"), and might cause trouble when you decide to switch away from it.

Off

In this mode, no secure connection exists between your visitors and CIS, and between CIS and your web server. Visitors can view your website only over HTTP, and any visitor who attempts to connect with HTTPS receives an HTTP 301 Redirect to the plain HTTP version of your website. This mode is not recommended because it exposes all data and is least secure compared to the previous modes.

Traffic encryption - Minimum TLS version

Set the minimum TLS version for traffic that tries to connect to your site by selecting one of the versions from the list.

By default, this version is set to 1.2. Higher TLS versions provide additional security, but might not be supported by all browsers, which might prevent some customers from connecting to your site.

To update the minimum TLS version with the API, see Update minimum TLS version setting.