Website Security and Backups Help

SSL modes for the Web Application Firewall (WAF)

This article helps to determine which SSL mode is required for your site. Once this has been determined, you can change the SSL Mode for your Web Application Firewall (WAF).

The Web Application Firewall (WAF) provides two modes for SSL connections: Partial HTTPS and Full HTTPS.

Partial HTTPS

With Partial HTTPS, the connection is safe (HTTPS) between your visitor and the WAF. But when reaching your server, the connection uses cleartext HTTP, which is not secure.

Partial HTTPS

Although your visitor will see the website as safe, Partial HTTPS is known for causing redirect loops and could suffer from man-in-the-middle (MitM) attacks. Use it only if completely necessary.

Full HTTPS

The safest way of configuring the SSL Mode, Full HTTPS is designed to make the whole connection encrypted.

Full HTTPS

This method requires an SSL certificate on the server side. Beware that visitors will never see the hosting SSL certificate - only the WAF itself does.

While best practice for the hosting SSL certificate is to be signed and current, and we encourage the use of a trustworthy SSL certificate, it's not technically necessary when the WAF is enabled. The hosting SSL certificate could be a self-signed SSL certificate or even an expired SSL certificate (you do not need to renew your server SSL certificate). The WAF will continue to accept the server SSL certificate and always provide your visitors the SSL certificate within the WAF. However, in case you want a Strict SSL mode so the WAF always checks if the server SSL certificate is valid, please open a Product Support ticket.

Note: For HTTPS requests, when using Partial HTTPS, the WAF will reach your server at port 80; when using Full HTTPS, the WAF will reach your server at port 443. This is hard coded and cannot be customized.

More info

Share this article