Portal Community

ssl/setMode

Set the SSL/TLS encryption mode for a Cloudflare zone.

Immediate live traffic impact: Changing SSL mode takes effect for all traffic on the zone immediately. Setting off disables HTTPS entirely. Setting strict requires a valid origin SSL certificate — if the origin has no valid cert, the site will return SSL errors. Always test on a staging zone first.

SSL Mode Reference

ModeVisitor to CloudflareCloudflare to OriginWhen to Use
offHTTP onlyHTTP onlyNever recommended for production
flexibleHTTPSHTTP (unencrypted)Initial HTTPS setup only — not production
fullHTTPSHTTPS (self-signed cert OK)Origin has any HTTPS certificate
strictHTTPSHTTPS (valid cert required)Origin has CA-signed certificate — recommended for production

When to Use

Configuration

Connection

FieldTypeRequiredDescription
ApiTokenstringrequiredScoped Cloudflare API Token with SSL and Certificates.Edit permission. Store in BizFirst Credentials Manager.

Operation Fields

FieldTypeRequiredDescription
ZoneIdstringrequired32-character hexadecimal Zone ID.
ModestringrequiredSSL mode: off, flexible, full, or strict.

Sample Configuration

{
  "resource": "ssl",
  "operation": "setMode",
  "connection": {
    "ApiToken": "{{ $credentials.cloudflare_ssl_edit }}"
  },
  "ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
  "Mode": "strict"
}

Validation Errors

CodeConditionResolution
MISSING_API_TOKENApiToken is emptySet the ApiToken credential with SSL and Certificates.Edit permission
MISSING_ZONE_IDZoneId is emptyProvide the Zone ID
UNKNOWN_ERRORInvalid mode value or API errorVerify mode is one of: off, flexible, full, strict

Output

Success Port

FieldTypeDescription
modestringThe SSL mode as now set — confirms the applied value
zoneIdstringThe Zone ID that was updated

Error Port

On failure, the error port receives an object with code and message.

Sample Output

{
  "zoneId": "023e105f4ecef8ad9ca31a8372d0c353",
  "mode": "strict"
}

Expression Reference

ExpressionReturns
{{ $node.SslSetMode.output.mode }}Confirmed SSL mode after update
{{ $node.SslSetMode.output.zoneId }}Zone ID that was updated

Node Policies & GuardRails

PolicyDetail
Always read current mode before changing itCall ssl/getSettings first and store the current mode — enables rollback
Test on staging before productionApply mode changes to a staging zone first and verify no SSL errors before targeting production
Verify origin cert before setting strictUse ssl/listCerts to confirm a valid origin certificate exists before upgrading to strict mode
Never set off in productionAdd a workflow guard to block ssl/setMode with Mode = "off" against any zone tagged as production
Store ApiToken in Credentials ManagerNever hardcode the token in configuration JSON

Examples

Example 1: Post-Certificate-Provisioning SSL Upgrade

After ssl/orderCert returns status active: (1) Call ssl/getSettings to log current mode. (2) Call ssl/setMode with Mode: "strict". (3) Make a test HTTP request to the origin to confirm no SSL errors. (4) If the test fails, call ssl/setMode to revert to the previous mode.

Example 2: Bulk Security Hardening Workflow

Iterate over all zones via zone/list. For each zone, call ssl/getSettings. If mode is flexible or off, call ssl/setMode with Mode: "full" and log the change. Generate a compliance report of all changes made.

Example 3: Temporary Flexible Mode During Certificate Renewal

Before revoking an expired certificate: (1) Call ssl/setMode with Mode: "flexible" to keep HTTPS working while the origin cert is replaced. (2) Provision the new certificate. (3) Call ssl/setMode with Mode: "strict" once the new cert is active.