TLS Settings — Cloudflare for SaaS
Mutual TLS (mTLS) adds an extra layer of protection to application connections by validating certificates on the server and the client. When building a SaaS application, you may want to enforce mTLS to protect sensitive endpoints related to payment processing, database updates, and more.
Minimum TLS Version allows you to choose a cryptographic standard per custom hostname. Cloudflare recommends TLS 1.2 to comply with the Payment Card Industry (PCI) Security Standards Council.
Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake. As a SaaS provider, you can specify configurations for cipher suites on your zone as a whole and cipher suites on individual custom hostnames via the API.
Enable mTLS
Once you have added a custom hostname, you can enable mTLS by using Cloudflare Access. Go to Cloudflare Zero Trust and add mTLS authentication with a few clicks.
Enable Minimum TLS Version
Log in to the Cloudflare dashboard and navigate to your account and website.
Select SSL/TLS > Custom Hostnames.
Find the hostname to which you want to apply Minimum TLS Version. Select Edit.
Choose the desired TLS version under Minimum TLS Version and click Save.
Cipher suites
For security and regulatory reasons, you may want to only allow connections from certain cipher suites. Cloudflare provides recommended values and full cipher suite reference in our Cipher suites documentation. Refer to SSL properties of a custom hostname. When making the request, make sure to include Restrict cipher suites for zone
Restrict cipher suites for custom hostname
type
and method
within the ssl
object, as well as the settings
specifications.