Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

SSL/TLS Recommender

The SSL/TLS Recommender helps you choose which Encryption mode is best for your application.

​​ Availability

Free Pro Business Enterprise


Yes Yes Yes Yes

​​ Common tasks

​​ Enable SSL/TLS recommendations

To make sure you do not inadvertently block the SSL/TLS Recommender, review your settings to make sure your domain:

  • Is accessible.
  • Is not blocking requests from our bot (which uses a user agent of Cloudflare-SSLDetector).
  • Does not have any active, SSL-specific Page Rules or Configuration rules.

Then, you can enable the SSL/TLS recommender.

To enable SSL/TLS recommendations in the dashboard:

  1. Log in to the Cloudflare dashboard and select your account and application.
  2. Go to SSL/TLS.
  3. For SSL/TLS Recommender, switch the toggle to On.

To adjust your SSL/TLS Recommender enrollment with the API, send a PATCH request with the enabled parameter set to your desired setting (true or false).

​​ Manually trigger a new scan

Once you enable it, the recommender runs future scans periodically — typically every two days — and sends notifications if new recommendations become available.

To manually re-trigger a new scan, disable and then re-enable SSL/TLS recommendations.

​​ How it works

Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent Cloudflare-SSLDetector and ignores your robots.txt file (except for rules explicitly targeting the user agent).

Based on this initial scan, the Recommender may decide that you could use a stronger SSL encryption mode. It will never recommend a weaker option than what is currently configured.

If so, it will send the application owner an email with the recommended option and add a Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required to use this recommendation.

If you do not receive an email, keep your current SSL encryption mode.