Knowledge
How to get A+ grade SSL using Cloudflare
#Security
By default Cloudflare configures your security for SSL and HTTPS traffic for maximum connectivity and not for best security. Connectivity and security are unexchangeable, by letting more old insecure clients connect, you lower the bar for all clients that connect to your website.
Published by Mark van Eijk
on September 24, 2024
Updated on September 24, 2024
· 1 minute read
- Getting started
- Enable Always Use HTTPS
- Enable HSTS
- Set minimum TLS version to 1.2
- Make sure to enable "TLS 1.3"
- Fix legacy HTTP URLs automatically
To keep everything as secure as possible, it is advised to make use of the best new practices and to let go of old and crumbling technology. On the web security is always improving and therefore shifting away from older technologies that just don't make the cut anymore.
To analyze your HTTPS connection for your website, the golden standard for SSL configuration is the SSL Server Test from SSLLabs. This test gives your security configuration a grade and shows you if there are areas for improvement.
The highest grade is an A+ and to achieve this using Cloudflare, follow these easy steps:
Getting started
Login to Cloudflare and navigate to the domain which you want to improve the SSL configuration for.
Navigate to the "SSL/TLS" section and then click on the "Edge Certificates" submenu.
Enable Always Use HTTPS
Enable HTTPS for every visitor by enabling the "Always Use HTTPS" option.
Enable HSTS
To make sure a browser can't connect using HTTP anymore and go directly into HTTPS mode, choose "Enable HSTS" to configure HTTP Strict Transport Security (HSTS)".
Acknowledge the notice that once this setting is enabled, you can't easily go back. So if your website or server does still need HTTP (yikes!) for some legacy URL, you have a problem. But the HTTP URL is already a problem on itself.
Set minimum TLS version to 1.2
Scroll down until you see "Minimum TLS Version" and select "1.2" as the minimum version clients can use to connect to your website. This skips unsecure versions 1.0 and 1.1 of TLS. At some point it should be feasible to add 1.3 as the minimum version, but nowadays there are too many clients still compatible with 1.2 only.
Make sure to enable "TLS 1.3"
Enable TLS 1.3 by making sure the toggle is switched on, this way the newest version of TLS can be used by all clients.
Fix legacy HTTP URLs automatically
This one is not necessarily needed for an A+ grade on SSLLabs, but enabling "Automatic HTTPS Rewrites" makes sure your websites does not follow or uses any HTTP references anymore. Everything should be HTTPS, to make sure no mixed content is used on your website.
You're done! Now run that SSLLabs test and get your A+ grade.
Subscribe to our newsletter
Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!
Related articles
How to extract private key from PFX file
By default Cloudflare configures your security for SSL and HTTPS traffic for maximum connectivity and not for best security. Connectivity and security are unexchangeable, by letting more old insecure clients connect, you lower the bar for all clients that connect to your website.
How to extract the certificate from a PFX file
By default Cloudflare configures your security for SSL and HTTPS traffic for maximum connectivity and not for best security. Connectivity and security are unexchangeable, by letting more old insecure clients connect, you lower the bar for all clients that connect to your website.