# The Security Journey (HTTP --> HTTPS)

When I bought my domain [`jaivardhan.online`](http://jaivardhan.online), I thought the story ended there — just point the name to a server and boom, a website. But when I moved it to Cloudflare, a new word kept coming up: **SSL/TLS**.

I had heard of HTTPS before, but I didn’t really know what happens behind the scenes. So I went deep, step by step. This is what I learned

---

## The Traffic Path: User → Cloudflare → My Domain

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756834611903/047a9318-d8d3-4297-b9fe-40cb65ba5727.png align="center")

Let’s start with the big picture.

* **User/Visitor (Browser)** → opens my website ([`https://jaivardhan.online`](https://jaivardhan.online))
    
* **Cloudflare** → sits in the middle, protects my site, and handles a lot of stuff (security, caching, SSL).
    
* **My Domain Host (Hostinger)** → actually stores the site files.
    

So the path is:  
**Client/User ↔ Cloudflare ↔ Domain (Hostinger)**

SSL/TLS decides **how secure** each leg of this journey is.

---

## Cloudflare’s Role in SSL

When I added my domain to Cloudflare, I noticed something cool:

* Cloudflare automatically gave me a **Universal SSL certificate** for free.
    
* That certificate covers the first half of the path: **User ↔ Cloudflare**.
    

That’s why, even though I hadn’t installed anything on Hostinger, my site was already showing as **Secure** in the browser!  
Because Cloudflare was handling HTTPS for visitors.

So basically, Cloudflare acted like:

> “Don’t worry, I’ll take care of the visitors. Even if your server is plain old HTTP, I’ll still show them HTTPS.”

---

## Encryption Modes in Cloudflare

In Cloudflare’s **SSL/TLS settings**, there are different modes:

1. **Off** (not secure)
    
    * No HTTPS at all. Browsers will warn visitors.
        
2. **Flexible**
    
    * **User ↔ Cloudflare** = HTTPS
        
    * **Cloudflare ↔ Hostinger (origin)** = HTTP
        
    * Safer than nothing, but origin side is still plain and vulnerable.
        
3. **Full**
    
    * **User ↔ Cloudflare** = HTTPS
        
    * **Cloudflare ↔ Hostinger** = HTTPS (but Cloudflare doesn’t check if the origin’s certificate is valid).
        
    * Works if your host has SSL (even self-signed).
        
4. **Full (Strict)** —&gt; (the best)
    
    * **User ↔ Cloudflare** = HTTPS
        
    * **Cloudflare ↔ Hostinger** = HTTPS (and the certificate must be valid & trusted).
        
    * Ensures true end-to-end encryption.
        
5. **Strict (SSL-Only Origin Pull)**
    
    * Forces encryption with origin no matter what.
        
    * Useful for locked-down setups.
        

So the key takeaway for me:

* Cloudflare always covers **User ↔ Cloudflare** with its Universal SSL.
    
* But for **Cloudflare ↔ Hostinger**, I need SSL installed at my host if I want Full Strict security.
    

---

## Free SSL at Hostinger (Cloudflare — Domain)

Good news: I didn’t have to buy anything. Hostinger automatically provides a free SSL certificate (via Let’s Encrypt) for domains that are bought using Hostinger.

This means:

* Cloudflare ↔ Hostinger is also encrypted (when set to Full Strict).
    
* My site has true **end-to-end HTTPS**.
    

---

## Big Question: If Hostinger already gives SSL, why still use Cloudflare?

At this point, I thought:

> “Hostinger already gave me a free SSL certificate. So why do I even need Cloudflare? Isn’t SSL the main goal?”

Here’s the reality

Cloudflare ≠ just SSL. It’s much more:

* **Extra Layer of SSL** → Even if Hostinger handles SSL, Cloudflare ensures your visitors get HTTPS instantly without waiting for setup.
    
* **DDoS Protection** → Shields your site if someone floods it with fake traffic.
    
* **CDN (Content Delivery Network)** → Cloudflare has servers worldwide. Visitors get your site from the nearest Cloudflare location, so it loads faster.
    
* **Firewall & Security** → Blocks bots, attackers, and suspicious requests before they even hit your Hostinger server.
    
* **Free Extras** → Like Always Online (shows cached version if your site is down).
    

So think of it this way:

* **Hostinger SSL** = Your server has a lock on its door.
    
* **Cloudflare SSL + Features** = A security guard at the gate + faster delivery service + backup plan.
    

That’s why we can keep Cloudflare even though Hostinger already provides SSL.

---

## Testing My SSL

I ran my domain on **SSL Labs Test** and got a **B rating**.  
That means my setup works, but there are still optimizations I can do later (A+ is the best)
