Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Authenticated Origin Pulls (mTLS)

Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of Full or Full (strict) encryption modes.

This authentication becomes particularly important with the Cloudflare Web Application Firewall (WAF). Together with the WAF, you can make sure that all traffic is evaluated before receiving a response from your origin server.

Although Cloudflare provides you a certificate to easily configure zone-level authentication, if you want more strict security, you should upload your own certificate. Using a custom certificate is possible with both zone-level and per-hostname authenticated origin pulls and is required if you need your domain to be FIPS compliant.

​​ Availability

FreeProBusinessEnterprise

Availability

YesYesYesYes

​​ More information

​​ Limitations

Authenticated Origin Pulls is not compatible with Railgun (deprecated) and does not apply when your SSL/TLS encryption mode is set to Off or Flexible.