Portal / Nodes / Cloudflare / ssl/setMode
ssl/setMode
Set the SSL/TLS encryption mode for a Cloudflare zone.
Immediate live traffic impact: Changing SSL mode takes effect for all traffic on the zone immediately. Setting off disables HTTPS entirely. Setting strict requires a valid origin SSL certificate — if the origin has no valid cert, the site will return SSL errors. Always test on a staging zone first.
SSL Mode Reference
| Mode | Visitor to Cloudflare | Cloudflare to Origin | When to Use |
off | HTTP only | HTTP only | Never recommended for production |
flexible | HTTPS | HTTP (unencrypted) | Initial HTTPS setup only — not production |
full | HTTPS | HTTPS (self-signed cert OK) | Origin has any HTTPS certificate |
strict | HTTPS | HTTPS (valid cert required) | Origin has CA-signed certificate — recommended for production |
When to Use
- Post-certificate upgrade to strict: After installing a valid CA-signed certificate on the origin, upgrade the SSL mode from
full to strict as a security hardening step.
- Initial HTTPS onboarding: Set
flexible temporarily while the origin SSL certificate is being provisioned, then upgrade to full or strict once the cert is ready.
- Security policy enforcement: Ensure all zones are set to at minimum
full mode as part of an automated security compliance workflow.
Configuration
Connection
| Field | Type | Required | Description |
ApiToken | string | required | Scoped Cloudflare API Token with SSL and Certificates.Edit permission. Store in BizFirst Credentials Manager. |
Operation Fields
| Field | Type | Required | Description |
ZoneId | string | required | 32-character hexadecimal Zone ID. |
Mode | string | required | SSL mode: off, flexible, full, or strict. |
Sample Configuration
{
"resource": "ssl",
"operation": "setMode",
"connection": {
"ApiToken": "{{ $credentials.cloudflare_ssl_edit }}"
},
"ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
"Mode": "strict"
}
Validation Errors
| Code | Condition | Resolution |
MISSING_API_TOKEN | ApiToken is empty | Set the ApiToken credential with SSL and Certificates.Edit permission |
MISSING_ZONE_ID | ZoneId is empty | Provide the Zone ID |
UNKNOWN_ERROR | Invalid mode value or API error | Verify mode is one of: off, flexible, full, strict |
Output
Success Port
| Field | Type | Description |
mode | string | The SSL mode as now set — confirms the applied value |
zoneId | string | The Zone ID that was updated |
Error Port
On failure, the error port receives an object with code and message.
Sample Output
{
"zoneId": "023e105f4ecef8ad9ca31a8372d0c353",
"mode": "strict"
}
Expression Reference
| Expression | Returns |
{{ $node.SslSetMode.output.mode }} | Confirmed SSL mode after update |
{{ $node.SslSetMode.output.zoneId }} | Zone ID that was updated |
Node Policies & GuardRails
| Policy | Detail |
| Always read current mode before changing it | Call ssl/getSettings first and store the current mode — enables rollback |
| Test on staging before production | Apply mode changes to a staging zone first and verify no SSL errors before targeting production |
| Verify origin cert before setting strict | Use ssl/listCerts to confirm a valid origin certificate exists before upgrading to strict mode |
Never set off in production | Add a workflow guard to block ssl/setMode with Mode = "off" against any zone tagged as production |
| Store ApiToken in Credentials Manager | Never hardcode the token in configuration JSON |
Examples
Example 1: Post-Certificate-Provisioning SSL Upgrade
After ssl/orderCert returns status active: (1) Call ssl/getSettings to log current mode. (2) Call ssl/setMode with Mode: "strict". (3) Make a test HTTP request to the origin to confirm no SSL errors. (4) If the test fails, call ssl/setMode to revert to the previous mode.
Example 2: Bulk Security Hardening Workflow
Iterate over all zones via zone/list. For each zone, call ssl/getSettings. If mode is flexible or off, call ssl/setMode with Mode: "full" and log the change. Generate a compliance report of all changes made.
Example 3: Temporary Flexible Mode During Certificate Renewal
Before revoking an expired certificate: (1) Call ssl/setMode with Mode: "flexible" to keep HTTPS working while the origin cert is replaced. (2) Provision the new certificate. (3) Call ssl/setMode with Mode: "strict" once the new cert is active.