Skip to content
Cloudflare Docs

Customize cipher suites via API

Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake (and therefore separate from the SSL/TLS protocol).

Before you begin

Note that:

  • Cipher suites are used in combination with other SSL/TLS settings.
  • You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites.
  • Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in SSL/TLS > Edge Certificates.
  • It is not possible to configure minimum TLS version nor cipher suites for Cloudflare Pages hostnames.
  • If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard).
  • If you use Windows you might need to adjust the curl syntax, refer to Making API calls on Windows for further guidance.

Steps and API examples

  1. Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection).

    Below you will find samples covering the recommended ciphers by security level and compliance standards, but you can also refer to the full list of supported ciphers and customize your choice.

  2. Log in to the Cloudflare dashboard and get your Global API Key in My Profile > API Tokens.

  3. Get the Zone ID from the Overview page of the domain you want to specify cipher suites for.

  4. Make an API call to either the Edit zone setting endpoint or the Edit TLS setting for hostname endpoint, specifying ciphers in the URL. List your array of chosen cipher suites in the value field.

Make the following API call with the appropriate {zone_id}, <EMAIL>, and <API_KEY>.

If you choose to use a token, you will not need an email nor an API key. You will instead replace the X-Auth-Email and X-Auth-Key headers by --header "Authorization: Bearer <API_TOKEN>" \.

Terminal window
# To configure cipher suites per hostname, replace the first two lines by the following
# curl --request PUT \
# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \


curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]}'

Reset to default values

To reset to the default cipher suites at zone level, use the Edit zone setting endpoint, specifying ciphers as the setting name in the URL, and send an empty array in the value field.

Terminal window
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"value": []}'

For guidance around custom hostnames, refer to TLS settings - Cloudflare for SaaS.