Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

How Authenticated Origin Pulls works

​​ Simple explanation

When visitors request content from your domain, Cloudflare first attempts to serve content from the cache. If this attempt fails, Cloudflare sends a request — or an origin pull — back to your origin web server to get the content.

Authenticated Origin Pulls makes sure that all of these origin pulls come from Cloudflare. Put another way, Authenticated Origin Pulls ensures that any HTTPS requests outside of Cloudflare will not receive a response from your origin.

This block also applies for requests to unproxied DNS records in Cloudflare.

​​ Detailed explanation

Cloudflare enforces authenticated origin pulls by adding an extra layer of TLS client certificate authentication when establishing a connection between Cloudflare and the origin web server.

For more details, refer to the introductory blog post.


​​ Types of handshakes

For more details, refer to What is a TLS handshake?.

Standard TLS handshake

Diagram showing the Standard TLS handshake

Client authenticated TLS handshake

Diagram showing the client authenticated TLS handshake

​​ Comparison diagrams

Without Authenticated Origin Pulls, Cloudflare performs standard TLS handshakes between a client device and Cloudflare and Cloudflare and your origin. This is true even if you have Full or Full (strict) encryption modes enabled.


This lack of authentication means that - even if your origin is protected behind Cloudflare - attackers with your origin’s IP address will still receive a response from your origin for HTTPS requests.

With Authenticated Origin Pulls, Cloudflare performs standard TLS handshakes between a client device and Cloudflare, but a client-authenticated TLS handshake between Cloudflare and your origin.


This additional layer of authentication ensures that any HTTPS requests outside of Cloudflare will not receive a response from your origin.