Ensuring Cloudflare SSL / TLS is secure
You may have seen online some articles talking about if its secure. Scott Helme wrote a really good article. Here is a easy to follow method to ensure its as secure as possible. We will go through each one but in summary
- Use SSL in strict mode
- Use HTTP Strict Transport Security (where full SSL is required)
- Use TLS 1.2 only (requires business plan)
- Use TLS origin authentication
When you use SSL / TLS in strict mode you require a valid certificate between the server and cloudflare. There are a number of free certificate authorities including lets encrypt and startcom.
For times when you need full SSL / TLS support use strict transport security.
If you have a business plan its worth turning on the PCI compliant TLS 1.2 ciphers.
Finally use TLS origin authentication. In simple terms this works by Cloudflare presenting a certificate to the back end server which is then validated. This prevents attackers sidestepping the cloudflare protection.
Before you turn it on you need to setup your webserver so it will work. There is a very simple guide on setting it up using Nginx here: