Customize cipher suites via API
Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake ↗ (and therefore separate from the SSL/TLS protocol).
Note that:
- Cipher suites are used in combination with other SSL/TLS settings.
- You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites.
- Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in SSL/TLS > Edge Certificates ↗.
- It is not possible to configure minimum TLS version nor cipher suites for Cloudflare Pages hostnames.
- If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard).
- If you use Windows you might need to adjust the curlsyntax, refer to Making API calls on Windows for further guidance.
- 
Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection). Below you will find samples covering the recommended ciphers by security level and compliance standards, but you can also refer to the full list of supported ciphers and customize your choice. 
- 
Log in to the Cloudflare dashboard and get your Global API Key in My Profile > API Tokens ↗. 
- 
Get the Zone ID from the Overview page ↗ of the domain you want to specify cipher suites for. 
- 
Make an API call to either the Edit zone setting endpoint or the Edit TLS setting for hostname endpoint, specifying ciphersin the URL. List your array of chosen cipher suites in thevaluefield.
Required API token permissions
 
At least one of the following token permissions 
is required:
- Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \  --request PATCH \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "value": [        "ECDHE-ECDSA-AES128-GCM-SHA256",        "ECDHE-ECDSA-CHACHA20-POLY1305",        "ECDHE-RSA-AES128-GCM-SHA256",        "ECDHE-RSA-CHACHA20-POLY1305",        "ECDHE-ECDSA-AES256-GCM-SHA384",        "ECDHE-RSA-AES256-GCM-SHA384"    ]  }'To configure cipher suites per hostname, replace the first two lines by the following:
curl --request PUT \"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \Required API token permissions
 
At least one of the following token permissions 
is required:
- Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \  --request PATCH \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "value": [        "ECDHE-ECDSA-AES128-GCM-SHA256",        "ECDHE-ECDSA-CHACHA20-POLY1305",        "ECDHE-RSA-AES128-GCM-SHA256",        "ECDHE-RSA-CHACHA20-POLY1305",        "ECDHE-ECDSA-AES256-GCM-SHA384",        "ECDHE-RSA-AES256-GCM-SHA384",        "ECDHE-ECDSA-AES128-SHA256",        "ECDHE-RSA-AES128-SHA256",        "ECDHE-ECDSA-AES256-SHA384",        "ECDHE-RSA-AES256-SHA384"    ]  }'To configure cipher suites per hostname, replace the first two lines by the following:
curl --request PUT \"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \Required API token permissions
 
At least one of the following token permissions 
is required:
- Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \  --request PATCH \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "value": [        "ECDHE-ECDSA-AES128-GCM-SHA256",        "ECDHE-RSA-AES128-GCM-SHA256",        "ECDHE-ECDSA-AES256-GCM-SHA384",        "ECDHE-RSA-AES256-GCM-SHA384",        "ECDHE-ECDSA-CHACHA20-POLY1305",        "ECDHE-RSA-CHACHA20-POLY1305"    ]  }'To configure cipher suites per hostname, replace the first two lines by the following:
curl --request PUT \"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \Required API token permissions
 
At least one of the following token permissions 
is required:
- Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \  --request PATCH \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "value": [        "AES128-GCM-SHA256",        "AES128-SHA",        "AES128-SHA256",        "AES256-SHA",        "AES256-SHA256",        "DES-CBC3-SHA",        "ECDHE-ECDSA-AES128-GCM-SHA256",        "ECDHE-ECDSA-AES128-SHA",        "ECDHE-ECDSA-AES128-SHA256",        "ECDHE-ECDSA-AES256-GCM-SHA384",        "ECDHE-ECDSA-AES256-SHA384",        "ECDHE-RSA-AES128-GCM-SHA256",        "ECDHE-RSA-AES128-SHA",        "ECDHE-RSA-AES128-SHA256",        "ECDHE-RSA-AES256-GCM-SHA384",        "ECDHE-RSA-AES256-SHA",        "ECDHE-RSA-AES256-SHA384"    ]  }'To configure cipher suites per hostname, replace the first two lines by the following:
curl --request PUT \"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \To reset to the default cipher suites at zone level, use the Edit zone setting endpoint, specifying ciphers as the setting name in the URL, and send an empty array in the value field.
Required API token permissions
 
At least one of the following token permissions 
is required:
- Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \  --request PATCH \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "value": []  }'For specific hostname settings, use the Delete TLS setting for hostname endpoint.
Required API token permissions
 
At least one of the following token permissions 
is required:
- SSL and Certificates Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/hostnames/settings/ciphers/$HOSTNAME" \  --request DELETE \  --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \  --header "X-Auth-Key: $CLOUDFLARE_API_KEY"For guidance around custom hostnames, refer to TLS settings - Cloudflare for SaaS.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark