Website Security and Backups Help

SSL modes for the Web Application Firewall (WAF)

This article helps to determine which SSL mode is required for your site. Once this has been determined, you can change the SSL Mode for your Web Application Firewall (WAF).

The Web Application Firewall (WAF) provides two modes for SSL connections: Partial HTTPS and Full HTTPS.

Partial HTTPS

The connection is safe (HTTPS) between your visitor and the WAF, however when reaching your server, the connection uses cleartext HTTP, which is not secure.

Partial HTTPS

Although your visitor will see the website as safe, Partial HTTPS is known for causing redirect loops and could suffer from man-in-the-middle (MitM) attacks. Use it only if completely necessary.


The safest way of configuring the SSL Mode, Full HTTPS is designed to make the whole connection encrypted.


This method requires an SSL certificate on the server side. Beware that your visitors will never see the hosting SSL certificate, only the WAF itself does. Your visitors will always see the SSL certificate uploaded on the WAF.

The hosting SSL certificate could be a self-signed SSL certificate or even an expired SSL certificate (you do not need to renew your server SSL certificate). The WAF will continue to accept the server SSL certificate and always provide your visitors the SSL certificate within the WAF. However, in case you want a Strict SSL mode so the WAF always checks if the server SSL certificate is valid, please open a Product Support ticket.

Note: For HTTPS requests, when using Partial HTTPS, the WAF will reach your server at port 80; when using Full HTTPS, the WAF will reach your server at port 443. This is hard coded and cannot be customized.

More info

Share this article