Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Authenticated Origin Pulls (mTLS)

Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of Full or Full (strict) encryption modes.

This authentication becomes particularly important with the Cloudflare Web Application Firewall (WAF). Together with the WAF, you can make sure that all traffic is evaluated before receiving a response from your origin server.

If you want your domain to be FIPS compliant, you must upload your own certificate. This option is available for both zone-level and per-hostname authenticated origin pulls.

​​ Availability

Free Pro Business Enterprise


Yes Yes Yes Yes

​​ More information

​​ Limitations

Authenticated Origin Pulls is not compatible with Railgun (deprecated) and does not apply when your SSL/TLS encryption mode is set to Off or Flexible.