title | pcx_content_type | weight | meta | ||
---|---|---|---|---|---|
TLS Management |
reference |
4 |
|
Mutual TLS (mTLS) adds an extra layer of protection to application connections by validating certificates on the server and the client. When building a SaaS application, you may want to enforce mTLS to protect sensitive endpoints related to payment processing, database updates, and more.
Minimum TLS Version allows you to choose a cryptographic standard per custom hostname. Cloudflare recommends TLS 1.2 to comply with the Payment Card Industry (PCI) Security Standards Council.
Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake. As a SaaS provider, you can specify configurations for cipher suites on your zone as a whole and cipher suites on individual custom hostnames via the API.
Once you have added a custom hostname, you can enable mTLS by using Cloudflare Access. Go to Cloudflare Zero Trust and add mTLS authentication with a few clicks.
{{
}}Currently, you cannot add mTLS policies for custom hostnames using API Shield.
{{
}}-
Log in to the Cloudflare dashboard and navigate to your account and website.
-
Select SSL/TLS > Custom Hostnames.
-
Find the hostname to which you want to apply Minimum TLS Version. Select Edit.
-
Choose the desired TLS version under Minimum TLS Version and click Save.
{{
}} While TLS 1.3 is the most recent and secure version, it is not supported by some older devices. Refer to Cloudflare's recommendations when deciding what version to use. {{}}For security and regulatory reasons, you may want to only allow connections from certain cipher suites. Cloudflare provides recommended values and full cipher suite reference in our Cipher suites documentation.
{{
Refer to Edit zone setting and use ciphers
as the setting name in the URI path.
{{
{{
}}You can configure alerts to receive notifications before your mutual TLS certificates expire.
{{}}
{{}}