PCI compliance and vulnerabilities mitigation
Both TLS 1.0 and TLS 1.1 are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic.
PCI standards recommend using TLS 1.2 or higher. Refer to Compliance standards for a list of recommended cipher suites.
Cloudflare also implements mitigations against known vulnerabilities for TLS 1.0 and 1.1.
To configure your Cloudflare domain to only allow connections using TLS 1.2 or newer protocols:
- 
Log in to the Cloudflare dashboard. 
- 
Select your Cloudflare account and website or application. 
- 
Go to SSL/TLS > Edge Certificates. 
- 
For Minimum TLS Version, select TLS 1.2 or higher. 
Refer to Minimum TLS version for more information about this setting and other setup options.
There are several mitigations Cloudflare performs against known vulnerabilities for TLS versions prior to 1.2. For example, Cloudflare does not support:
- Header compression in TLS
- Header compression in SPDY 3.1
- RC4
- SSL 3.0
- Renegotiation with clients
- DHE ciphersuites
- Export-grade ciphers
Cloudflare mitigations protect against several attacks:
- CRIME
- BREACH
- POODLE
- RC4 Cryptographic Weaknesses
- SSL Renegotiation Attack
- Protocol Downgrade Attacks
- FREAK
- LogJam
- 3DES is disabled entirely for TLS 1.1 and 1.2 and Cloudflare implements mitigations for TLS 1.0
Cloudflare provides additional mitigations for:
- Heartbleed
- Lucky Thirteen
- CCS injection vulnerability
Cloudflare has patched all servers against these vulnerabilities. Also, the Cloudflare Web Application Firewall has managed rules that mitigate several of these vulnerabilities including Heartbleed and ShellShock.
Security scans that note the presence of ROBOT while on Cloudflare are a false positive. Cloudflare checks padding in real time and swaps to a random session key if the padding is incorrect.
A vulnerability in the use of the Triple DES (3DES) encryption algorithm in the Transport Layer Security (TLS) protocol. Sweet32 is currently a proof of concept attack, there are no known examples of this in the wild. Cloudflare has manually mitigated the vulnerability for TLS 1.0 in the following manner:
- The attacker must collect 32GB of data from a single TLS session.
- Cloudflare forces new TLS 1.0 session keys on the affected 3DES cipher well before 32GB of data is collected.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark