Security & Hygiene — Outstanding Tasks

1. Cloudflare: SSL to Full (strict)

Status: ⏳ Needs action

What: The SSL/TLS encryption mode is likely still on “Flexible” (encrypted browser→CF, but CF→origin is unencrypted). With Cloudflare Tunnel, CF→VPS is already encrypted by the tunnel, so Full (strict) is the correct mode.

Why: Defense in depth. Full (strict) ensures Cloudflare verifies the origin connection is properly secured, even though the tunnel handles it.

How (30 seconds): - Dashboard: SSL/TLS → Overview → drag to Full (strict) - OR recreate API token with scope: Zone > Settings > Edit