Portal / Nodes / Cloudflare / ssl/getSettings
ssl/getSettings
Retrieve the current SSL/TLS configuration for a Cloudflare zone.
When to Use
- Compliance audit: Read SSL mode and minimum TLS version across all zones to verify they meet organizational security standards.
- Pre-go-live verification: Confirm SSL mode is not
off or flexible before launching a new application or domain.
- Cross-zone comparison: Compare SSL settings between staging and production zones to detect configuration drift before a release.
- Documentation export: Capture SSL settings as part of an infrastructure audit package for compliance reporting.
Configuration
Connection
| Field | Type | Required | Description |
ApiToken | string | required | Scoped Cloudflare API Token with SSL and Certificates.Read permission. Store in BizFirst Credentials Manager. |
Operation Fields
| Field | Type | Required | Description |
ZoneId | string | required | 32-character hexadecimal Zone ID. |
Sample Configuration
{
"resource": "ssl",
"operation": "getSettings",
"connection": {
"ApiToken": "{{ $credentials.cloudflare_ssl_read }}"
},
"ZoneId": "023e105f4ecef8ad9ca31a8372d0c353"
}
Validation Errors
| Code | Condition | Resolution |
MISSING_API_TOKEN | ApiToken is empty | Set the ApiToken credential with SSL and Certificates.Read permission |
MISSING_ZONE_ID | ZoneId is empty | Provide the Zone ID |
UNKNOWN_ERROR | Cloudflare API error | Verify Zone ID and token permissions |
Output
Success Port
| Field | Type | Description |
mode | string | Current SSL mode: off, flexible, full, or strict |
universalSslEnabled | boolean | Whether Cloudflare Universal SSL is enabled |
minimumTlsVersion | string | Minimum TLS version enforced: 1.0, 1.1, 1.2, or 1.3 |
tlsClientAuth | string | Mutual TLS client authentication setting |
Error Port
On failure, the error port receives an object with code and message.
Sample Output
{
"mode": "full",
"universalSslEnabled": true,
"minimumTlsVersion": "1.2",
"tlsClientAuth": "off"
}
Expression Reference
| Expression | Returns |
{{ $node.SslGetSettings.output.mode }} | Current SSL mode string |
{{ $node.SslGetSettings.output.minimumTlsVersion }} | Minimum TLS version enforced |
{{ $node.SslGetSettings.output.universalSslEnabled }} | Boolean — true if Universal SSL is on |
Node Policies & GuardRails
| Policy | Detail |
| Use read-only token | SSL and Certificates.Read is sufficient — do not use an Edit token for read operations |
| Store ApiToken in Credentials Manager | Never hardcode the token in configuration JSON |
| Gate ssl/setMode on this check | Call ssl/getSettings before ssl/setMode to log the current value — enables rollback if needed |
| Alert on non-compliant mode | Add an IfCondition node to alert if mode is off or flexible — these modes are not acceptable for production zones |
| Check TLS version for compliance | PCI-DSS requires TLS 1.2 minimum — alert if minimumTlsVersion is 1.0 or 1.1 |
Examples
Example 1: Pre-Launch SSL Compliance Gate
As part of the go-live checklist: call ssl/getSettings and add an IfCondition. If mode !== "full" and mode !== "strict", halt the deployment and send a PagerDuty alert. Only proceed when SSL mode is production-grade.
Example 2: Multi-Zone Compliance Audit
Use zone/list to get all zone IDs. Loop through each zone calling ssl/getSettings. Build a report of zones with minimumTlsVersion below 1.2 or mode of off or flexible. Send the report to the security team.
Example 3: Pre-Update Snapshot
Before calling ssl/setMode, call ssl/getSettings and store the result in a VariableAssignment node. If the mode update causes site issues, use the stored value to revert via a subsequent ssl/setMode call.