Cloudflare SSL/TLS Hardening: HTTPS, HSTS & TLS 1.3
Help Apr 2, 2026

Cloudflare SSL/TLS Hardening: HTTPS, HSTS & TLS 1.3

Cloudflare Tls Security

Cloudflare ships with SSL/TLS defaults that lean toward compatibility. That’s fine if you never touch them and don’t care about your TLS posture, but most people reading this probably do. Five changes in the SSL/TLS → Edge Certificates panel will get you most of the way there, and four of them are free.

Each one maps to a scoring category in SSLBoard, so you can verify the impact after.

1. Always use HTTPS

SSL/TLS → Edge Certificates → Always Use HTTPS → On

This sends a 301 redirect for every HTTP request at Cloudflare’s edge, before anything reaches your origin. It covers all paths and subdomains, so no request to your domain will ever be served in plain text.

On SSLBoard, this affects your Web Hardening score. SSLBoard checks every hostname for HTTPS redirect coverage, so any host still answering on port 80 without a redirect gets flagged.

2. HTTP Strict Transport Security (HSTS)

SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS)

A 301 redirect is better than nothing, but the browser still made an HTTP request to get that redirect. HSTS fixes that gap. Once a browser sees the HSTS header, it upgrades every future request to HTTPS internally. The HTTP request never leaves the machine.

Cloudflare gives you four HSTS settings:

  • Max Age controls how long browsers remember the policy. 6 months (15,768,000 seconds) is a reasonable starting point.
  • Include Subdomains applies the policy across all subdomains. There’s no good reason to serve any subdomain over plain HTTP at this point, so enable it.
  • Preload adds the preload directive to the header. On its own this doesn’t actually do anything. You still need to submit your domain at hstspreload.org, meet their requirements (max-age of at least 1 year, includeSubDomains enabled), and wait for acceptance. Once you’re in, browsers hardcode HTTPS for your domain, which covers even the very first visit. It’s the only way to eliminate that initial HTTP request entirely. Removal takes months, though, so make sure you’re ready to commit.
  • No-Sniff Header adds X-Content-Type-Options: nosniff. Turn it on.

You probably want to set Max Age to something short like 5 minutes first, make sure nothing breaks, then ramp up.

SSLBoard checks HSTS on every hostname individually, so even one missing host drags your Web Hardening score down.

3. Minimum TLS version: 1.2

SSL/TLS → Edge Certificates → Minimum TLS Version → TLS 1.2

SSLv3, TLS 1.0, and TLS 1.1 are all deprecated and vulnerable to known attacks like BEAST and POODLE. No modern browser supports them anymore. There’s really no reason to accept them in 2026. Setting TLS 1.2 as the floor means clients that can’t negotiate it get a handshake failure instead of a degraded connection.

TLS 1.2 shipped in 2008. If something in your stack still can’t speak it, that’s the thing that needs fixing, not your minimum version.

SSLBoard penalises any endpoint still accepting TLS 1.0 or 1.1 in the Protocols score. Setting the minimum to 1.2 in Cloudflare clears that across your entire edge.

4. TLS 1.3

SSL/TLS → Edge Certificates → TLS 1.3 → On

TLS 1.3 drops legacy cipher suites, cuts the handshake from two round trips to one (zero on resumption), and requires forward secrecy. Cloudflare will negotiate 1.3 when the client supports it and fall back to 1.2 when it doesn’t, so turning this on won’t break anything.

TLS 1.3 is also a hard prerequisite for post-quantum cryptography, which is easy to miss. Cloudflare already supports ML-KEM for key exchange, but it runs inside the TLS 1.3 handshake. There is no PQC path over TLS 1.2. If you want your domain to be quantum-ready, TLS 1.3 has to be on.

SSLBoard checks TLS 1.3 support per endpoint. It factors into your Protocols score and your Future Readiness score. The mandatory forward secrecy in 1.3 also helps your Confidentiality and Agility score.

5. Advanced Certificate Manager: the cipher problem

The four settings above are free. But if you run an SSLBoard scan after applying them, you’ll probably still see a mediocre Ciphers score. That’s because Cloudflare’s standard configuration still negotiates these CBC cipher suites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

CBC mode has a long history of timing leaks and padding oracles (BEAST, Lucky Thirteen), and these suites use SHA-1 for their MAC on top of that. AEAD suites like AES-GCM and ChaCha20-Poly1305 don’t have those structural problems.

The catch is that Cloudflare’s free and Pro plans don’t let you control which cipher suites are offered. If you want to drop CBC, you need to purchase Advanced Certificate Manager (ACM) for $10/month. ACM unlocks per-hostname cipher suite configuration, so you can restrict your edge to AEAD-only ciphers.

On SSLBoard’s own domain, CBC suites dragged the Ciphers category to 62 out of 100 on what was otherwise a 92-scoring domain. Removing them was the single biggest score improvement we made.

Quick reference

SettingValueCost
Always Use HTTPSOnFree
HSTSEnabled, max-age 6 monthsFree
Minimum TLS VersionTLS 1.2Free
TLS 1.3OnFree
Advanced Certificate ManagerAEAD-only ciphers$10/month

Four of the five are free and take about five minutes total. ACM is $10/month, but it’s the only way to get CBC off your edge on Cloudflare.

After you make these changes, run an SSLBoard report to confirm the improvements and catch anything you missed.

Photo by Hannah Gibbs on Unsplash