TLS Settings — Cloudflare for SaaS
Mutual TLS (mTLS) adds an extra layer of protection to application connections by validating certificates on the server and the client. When building a SaaS application, you may want to enforce mTLS to protect sensitive endpoints related to payment processing, database updates, and more.
Minimum TLS Version allows you to choose a cryptographic standard per custom hostname. Cloudflare recommends TLS 1.2 to comply with the Payment Card Industry (PCI) Security Standards Council.
Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake. As a SaaS provider, you can specify configurations for cipher suites on your zone as a whole and cipher suites on individual custom hostnames via the API.
Enable mTLS
Once you have added a custom hostname, you can enable mTLS by using Cloudflare Access. Go to the Cloudflare Zero Trust dashboard and add mTLS authentication with a few clicks.
Enable Minimum TLS Version
-
Log in to the Cloudflare dashboard and navigate to your account and website.
-
Select SSL/TLS > Custom Hostnames.
-
Find the hostname to which you want to apply Minimum TLS Version. Select Edit.
-
Choose the desired TLS version under Minimum TLS Version and click Save.
Cipher suites
Cipher suites for zone
Refer to change ciphers setting on a zone.
Cipher suites per custom hostname
Refer to SSL properties of a custom hostname.