The Security Journey (HTTP --> HTTPS)
Jai Vardhan Narayana
When I bought my domain jaivardhan.online, I thought the story ended there — just point the name to a server and boom, a website. But when I moved it to Cloudflare, a new word kept coming up: SSL/TLS.
I had heard of HTTPS before, but I didn’t really know what happens behind the scenes. So I went deep, step by step. This is what I learned
The Traffic Path: User → Cloudflare → My Domain
Let’s start with the big picture.
User/Visitor (Browser) → opens my website (
https://jaivardhan.online)Cloudflare → sits in the middle, protects my site, and handles a lot of stuff (security, caching, SSL).
My Domain Host (Hostinger) → actually stores the site files.
So the path is:
Client/User ↔ Cloudflare ↔ Domain (Hostinger)
SSL/TLS decides how secure each leg of this journey is.
Cloudflare’s Role in SSL
When I added my domain to Cloudflare, I noticed something cool:
Cloudflare automatically gave me a Universal SSL certificate for free.
That certificate covers the first half of the path: User ↔ Cloudflare.
That’s why, even though I hadn’t installed anything on Hostinger, my site was already showing as Secure in the browser!
Because Cloudflare was handling HTTPS for visitors.
So basically, Cloudflare acted like:
“Don’t worry, I’ll take care of the visitors. Even if your server is plain old HTTP, I’ll still show them HTTPS.”
Encryption Modes in Cloudflare
In Cloudflare’s SSL/TLS settings, there are different modes:
Off (not secure)
- No HTTPS at all. Browsers will warn visitors.
Flexible
User ↔ Cloudflare = HTTPS
Cloudflare ↔ Hostinger (origin) = HTTP
Safer than nothing, but origin side is still plain and vulnerable.
Full
User ↔ Cloudflare = HTTPS
Cloudflare ↔ Hostinger = HTTPS (but Cloudflare doesn’t check if the origin’s certificate is valid).
Works if your host has SSL (even self-signed).
Full (Strict) —> (the best)
User ↔ Cloudflare = HTTPS
Cloudflare ↔ Hostinger = HTTPS (and the certificate must be valid & trusted).
Ensures true end-to-end encryption.
Strict (SSL-Only Origin Pull)
Forces encryption with origin no matter what.
Useful for locked-down setups.
So the key takeaway for me:
Cloudflare always covers User ↔ Cloudflare with its Universal SSL.
But for Cloudflare ↔ Hostinger, I need SSL installed at my host if I want Full Strict security.
Free SSL at Hostinger (Cloudflare — Domain)
Good news: I didn’t have to buy anything. Hostinger automatically provides a free SSL certificate (via Let’s Encrypt) for domains that are bought using Hostinger.
This means:
Cloudflare ↔ Hostinger is also encrypted (when set to Full Strict).
My site has true end-to-end HTTPS.
Big Question: If Hostinger already gives SSL, why still use Cloudflare?
At this point, I thought:
“Hostinger already gave me a free SSL certificate. So why do I even need Cloudflare? Isn’t SSL the main goal?”
Here’s the reality
Cloudflare ≠ just SSL. It’s much more:
Extra Layer of SSL → Even if Hostinger handles SSL, Cloudflare ensures your visitors get HTTPS instantly without waiting for setup.
DDoS Protection → Shields your site if someone floods it with fake traffic.
CDN (Content Delivery Network) → Cloudflare has servers worldwide. Visitors get your site from the nearest Cloudflare location, so it loads faster.
Firewall & Security → Blocks bots, attackers, and suspicious requests before they even hit your Hostinger server.
Free Extras → Like Always Online (shows cached version if your site is down).
So think of it this way:
Hostinger SSL = Your server has a lock on its door.
Cloudflare SSL + Features = A security guard at the gate + faster delivery service + backup plan.
That’s why we can keep Cloudflare even though Hostinger already provides SSL.
Testing My SSL
I ran my domain on SSL Labs Test and got a B rating.
That means my setup works, but there are still optimizations I can do later (A+ is the best)
Subscribe to my newsletter
Read articles from Jai Vardhan Narayana directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by