Cloudflare Tunnel and TLS: What Cloudflare Can See

Cloudflare Tunnel is a well-engineered tool for exposing local services to the internet. But its architecture means your traffic — including login credentials, device commands, and camera feeds — is decrypted at Cloudflare's edge servers. This is not a bug or a misconfiguration. It is how the system works by design. Here is what that means for Home Assistant users and self-hosters.

This post focuses on how Cloudflare Tunnel handles TLS and what that means for privacy. For the separate question of DNS requirements — why Cloudflare Tunnel requires you to move your domain's nameservers — see Cloudflare Tunnel Requires You to Move Your DNS.

How TLS works with Cloudflare Tunnel

Cloudflare terminates your TLS connection at their edge servers. This is not a side-effect — it is how Cloudflare's proxy works, and it is what enables their DDoS protection, WAF rules, caching, and Access policies.

When you access your Home Assistant through a Cloudflare Tunnel, there are two separate encrypted connections, not one:

Two connections, not end-to-end

📱 Your Phone

→

☁️ Cloudflare Edge
TLS terminated here
Traffic is plaintext at this point

→

🔗 cloudflared
Tunnel daemon

→

🏠 Home Assistant
port 8123

Connection 1: phone → CF edge (HTTPS) · Connection 2: CF edge → cloudflared (encrypted tunnel) · Last hop: cloudflared → HA (typically plain HTTP)

Your browser establishes an HTTPS connection to Cloudflare's edge server. Cloudflare holds the private key for the certificate they issued for your domain, so they decrypt the full request — the URL, the cookies, the headers, and the request body, including your login and password.

At this point, Cloudflare processes the request in plaintext: applies WAF rules, checks Access policies, handles caching. Then it forwards the request through the encrypted tunnel to the cloudflared daemon running on your device. The Home Assistant Cloudflared app typically configures the tunnel to connect to Home Assistant over plain HTTP on port 8123 — so that last segment is not encrypted either.

What this means in practice

Every interaction you have with Home Assistant through a Cloudflare Tunnel passes through Cloudflare's infrastructure in decrypted form. That includes:

Your login credentials — your username and password when you sign in to Home Assistant
Your long-lived access tokens — if you use them for API access or the Companion app
Your dashboard data — which rooms you view, which devices you monitor
Device control commands — when you lock or unlock a door, arm an alarm, toggle a light
Camera feeds — if you view security cameras through the Home Assistant interface
Sensor data — presence sensors, motion detectors, GPS trackers, energy usage
Automation state — which automations are running, their triggers and conditions

⚠️ This is normal for Cloudflare — not a vulnerability

This is how Cloudflare works for every website behind their proxy — which is a large percentage of the internet. When you log in to any site that uses Cloudflare, they can technically see your credentials. The difference is that your banking site's login controls your bank account, while your Home Assistant login controls your home — locks, cameras, and presence data. Both deserve careful consideration about who sits in the middle.

This does not mean Cloudflare is actively reading your traffic. They are a reputable company with clear privacy policies. But architecturally, the capability exists. In the event of a court order, a security breach at Cloudflare, or a rogue employee, the data is accessible at the edge in plaintext. This is a fundamentally different trust model than end-to-end encryption, where the relay operator cannot access the content even if they wanted to.

How other services handle this

Pluggie

With Pluggie, TLS certificates are generated on your device. The private key never leaves your Home Assistant instance. When your phone connects to my-home.pluggie.net, the TLS connection terminates at your device, not at a relay server. Pluggie's relay infrastructure transports encrypted bytes without the ability to decrypt them.

We wrote a detailed transparency post about how this works, including an honest discussion of where the limits of this model are (as a domain operator, Pluggie could theoretically issue a new certificate — the same theoretical MITM vector that applies to any service that controls the domain, including Nabu Casa). The key difference: Pluggie would have to actively intervene to see your traffic. With Cloudflare, seeing your traffic is the default architecture.

Nabu Casa

Nabu Casa also generates TLS certificates on your device and relays encrypted traffic. Their architecture is similar to Pluggie's in this regard — the relay does not decrypt your data. As a domain operator, they face the same theoretical MITM vector that Pluggie does, and they have openly acknowledged this, which we respect.

Tailscale

Tailscale uses WireGuard for end-to-end encryption between devices. Traffic is encrypted from your phone directly to your Home Assistant device. However, Tailscale requires a VPN client installed on every device that needs access — you cannot access your services from a standard browser without the client running. This is a different model: strong encryption, but with a different set of trade-offs around convenience and accessibility.

Homeway

Homeway's security documentation describes a relay architecture where requests are tunneled through their servers to your device. End-to-end encryption is not part of their model — they use a two-layer authentication approach instead.

When Cloudflare's TLS model is acceptable

For many use cases, Cloudflare's TLS termination is a reasonable trade-off. You get DDoS protection, WAF rules, Cloudflare Access policies, and a well-maintained infrastructure — all for free. If you trust Cloudflare as a company (and millions of websites do), the practical risk is low.

It is the right model when:

You value Cloudflare's security features (WAF, Access, DDoS protection) and consider them worth the trade-off
Your threat model does not include Cloudflare themselves as a risk
You are comfortable with a large third party having technical access to your home automation traffic
You use Cloudflare Access to add an additional authentication layer before traffic even reaches your Home Assistant

When it is not

Cloudflare's TLS model is less comfortable when:

You want end-to-end encryption where the relay operator physically cannot see your data
Your Home Assistant controls security-sensitive devices — door locks, alarm systems, cameras, presence sensors
You operate in a jurisdiction where a court order to a US company could compel data access
Your threat model includes supply chain attacks or compromised infrastructure at third-party providers
You simply prefer architectures where fewer parties have access to your data

✓ Pluggie's approach

TLS certificates generated on your device. Private keys that never leave your network. Relay servers that transport encrypted bytes without decrypting them. And active encryption integrity verification in the dashboard so you can see for yourself that the connection is genuine. Try it free — no email or credit card required. Setup takes under five minutes.

📬 Questions?

If you are evaluating tunnel services and want to understand the differences in TLS handling, reach out at support@pluggie.net. We are happy to help — even if you end up choosing Cloudflare.