Portal Community

ssl/getSettings

Retrieve the current SSL/TLS configuration for a Cloudflare zone.

When to Use

Configuration

Connection

FieldTypeRequiredDescription
ApiTokenstringrequiredScoped Cloudflare API Token with SSL and Certificates.Read permission. Store in BizFirst Credentials Manager.

Operation Fields

FieldTypeRequiredDescription
ZoneIdstringrequired32-character hexadecimal Zone ID.

Sample Configuration

{
  "resource": "ssl",
  "operation": "getSettings",
  "connection": {
    "ApiToken": "{{ $credentials.cloudflare_ssl_read }}"
  },
  "ZoneId": "023e105f4ecef8ad9ca31a8372d0c353"
}

Validation Errors

CodeConditionResolution
MISSING_API_TOKENApiToken is emptySet the ApiToken credential with SSL and Certificates.Read permission
MISSING_ZONE_IDZoneId is emptyProvide the Zone ID
UNKNOWN_ERRORCloudflare API errorVerify Zone ID and token permissions

Output

Success Port

FieldTypeDescription
modestringCurrent SSL mode: off, flexible, full, or strict
universalSslEnabledbooleanWhether Cloudflare Universal SSL is enabled
minimumTlsVersionstringMinimum TLS version enforced: 1.0, 1.1, 1.2, or 1.3
tlsClientAuthstringMutual TLS client authentication setting

Error Port

On failure, the error port receives an object with code and message.

Sample Output

{
  "mode": "full",
  "universalSslEnabled": true,
  "minimumTlsVersion": "1.2",
  "tlsClientAuth": "off"
}

Expression Reference

ExpressionReturns
{{ $node.SslGetSettings.output.mode }}Current SSL mode string
{{ $node.SslGetSettings.output.minimumTlsVersion }}Minimum TLS version enforced
{{ $node.SslGetSettings.output.universalSslEnabled }}Boolean — true if Universal SSL is on

Node Policies & GuardRails

PolicyDetail
Use read-only tokenSSL and Certificates.Read is sufficient — do not use an Edit token for read operations
Store ApiToken in Credentials ManagerNever hardcode the token in configuration JSON
Gate ssl/setMode on this checkCall ssl/getSettings before ssl/setMode to log the current value — enables rollback if needed
Alert on non-compliant modeAdd an IfCondition node to alert if mode is off or flexible — these modes are not acceptable for production zones
Check TLS version for compliancePCI-DSS requires TLS 1.2 minimum — alert if minimumTlsVersion is 1.0 or 1.1

Examples

Example 1: Pre-Launch SSL Compliance Gate

As part of the go-live checklist: call ssl/getSettings and add an IfCondition. If mode !== "full" and mode !== "strict", halt the deployment and send a PagerDuty alert. Only proceed when SSL mode is production-grade.

Example 2: Multi-Zone Compliance Audit

Use zone/list to get all zone IDs. Loop through each zone calling ssl/getSettings. Build a report of zones with minimumTlsVersion below 1.2 or mode of off or flexible. Send the report to the security team.

Example 3: Pre-Update Snapshot

Before calling ssl/setMode, call ssl/getSettings and store the result in a VariableAssignment node. If the mode update causes site issues, use the stored value to revert via a subsequent ssl/setMode call.