Cloudflare SSL/TLS Hardening: HTTPS, HSTS & TLS 1.3
Help Apr 2, 2026

Cloudflare SSL/TLS Hardening: HTTPS, HSTS & TLS 1.3

Cloudflare Tls Security

Cloudflare’s default SSL/TLS settings favour compatibility over security. Five changes in the SSL/TLS → Edge Certificates panel fix that — and each one maps directly to a score category in SSLBoard.

1. Always Use HTTPS

SSL/TLS → Edge Certificates → Always Use HTTPS → On

Every HTTP request gets a 301 redirect to HTTPS at Cloudflare’s edge, before it touches your origin. No path or subdomain is excluded. One toggle, zero room for accidental plain-text traffic.

SSLBoard impact: improves your Web Hardening score. SSLBoard checks every hostname for HTTPS redirect coverage — any host still answering on port 80 without a redirect is flagged.

2. HTTP Strict Transport Security (HSTS)

SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS)

A 301 redirect still means the browser made an HTTP request in the first place. HSTS fixes that: once a browser has seen the header, it upgrades every subsequent request to HTTPS internally. No HTTP request ever leaves the machine again.

Cloudflare exposes four HSTS settings:

  • Max Age — how long browsers remember the policy. 6 months (15 768 000 s) is a solid default.
  • Include Subdomains — applies the policy to all subdomains. In 2026, every subdomain should be served over HTTPS. Enable it.
  • Preload — adds the preload directive to the HSTS header. This alone doesn’t do anything — you still need to submit your domain at hstspreload.org and meet their requirements (max-age ≥ 1 year, includeSubDomains enabled). Once accepted, browsers hardcode HTTPS for your domain, covering even the first visit. It’s the only way to eliminate that initial HTTP request, but it’s a serious commitment: removal takes months.
  • No-Sniff Header — adds X-Content-Type-Options: nosniff. Enable it.

Tip: set Max Age to something short (5 minutes) first, verify nothing breaks, then ramp up.

SSLBoard impact: also Web Hardening. SSLBoard checks HSTS on every hostname individually — even one missing host drags the score down. In a typical Cloudflare setup, this is one of the easiest wins available.

3. Minimum TLS Version: 1.2

SSL/TLS → Edge Certificates → Minimum TLS Version → TLS 1.2

TLS 1.0 and 1.1 are deprecated, vulnerable (BEAST, POODLE), and unsupported by every modern browser. Accepting them in 2026 is indefensible. Setting TLS 1.2 as the floor means clients that can’t negotiate it get a handshake failure instead of a degraded connection.

TLS 1.2 shipped in 2008. If something in your stack still can’t speak it, that’s the thing that needs fixing.

SSLBoard impact: Protocols score. Any endpoint still accepting TLS 1.0 or 1.1 gets penalised. Setting the minimum to 1.2 in Cloudflare clears that across your entire edge in one click.

4. TLS 1.3

SSL/TLS → Edge Certificates → TLS 1.3 → On

TLS 1.3 strips out legacy cipher suites, cuts the handshake from two round trips to one (zero on resumption), and mandates forward secrecy. Cloudflare will negotiate 1.3 when the client supports it and fall back to 1.2 when it doesn’t. Purely additive, no breakage.

There’s another reason this matters: TLS 1.3 is a hard prerequisite for post-quantum cryptography. Cloudflare already supports ML-KEM for key exchange, but it runs inside the TLS 1.3 handshake — there is no PQC path over TLS 1.2. If you want your domain to be quantum-ready, TLS 1.3 isn’t optional.

SSLBoard impact: Protocols, Confidentiality and Agility, and Future Readiness. TLS 1.3 support is checked per-endpoint, its mandatory forward secrecy contributes to your Forward Secrecy score, and it’s a prerequisite for PQC readiness.

5. Advanced Certificate Manager: Fix Your Cipher Score

The four settings above are free. But if you run an SSLBoard scan after applying them, you’ll likely still see a mediocre Ciphers score. That’s because Cloudflare’s standard configuration negotiates CBC cipher suites that have no business being in a 2026 TLS stack:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

These all use CBC mode — a long history of timing leaks and padding oracles (BEAST, Lucky Thirteen) — and SHA-1 for their MAC. Modern AEAD suites like AES-GCM and ChaCha20-Poly1305 avoid these structural weaknesses entirely.

The problem: Cloudflare’s free and Pro plans don’t let you control which cipher suites are offered. The only way to drop CBC is to purchase Advanced Certificate Manager (ACM) ($10/month), which unlocks per-hostname cipher suite configuration. With ACM, you can restrict your edge to AEAD-only ciphers and eliminate CBC entirely.

SSLBoard impact: Ciphers score — often the single biggest penalty on a Cloudflare-fronted domain. On SSLBoard’s own report, CBC suites dragged the Ciphers category to 62/100 on an otherwise 92-scoring domain. Removing them is the difference between a good score and a great one.

Summary

SettingValueCost
Always Use HTTPSOnFree
HSTSEnabled, max-age 6 monthsFree
Minimum TLS VersionTLS 1.2Free
TLS 1.3OnFree
Advanced Certificate ManagerAEAD-only ciphers$10/month

The first four are free and take five minutes. ACM costs $10/month but it’s the only way to clean up cipher negotiation on Cloudflare. If your TLS score matters — and it should — it’s the most cost-effective improvement available.

Verify Your Changes

After applying these settings, run an SSLBoard report to see the impact. You’ll get a full breakdown across Protocols, Ciphers, Web Hardening, and every other scoring category — so you can confirm the improvements and catch anything you missed.

Photo by Hannah Gibbs on Unsplash