Replace /ssl/ links from overview and create new outline for Min TLS version

RebeccaTamachiro · RebeccaTamachiro · commit 563c4c82ce58 · 2025-09-03T11:51:24.000+01:00
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx
@@ -8,13 +8,13 @@ head:
     content: TLS Settings — Cloudflare for SaaS
 ---
 
-import { AvailableNotifications, Details, Render } from "~/components";
+import { AvailableNotifications, Details, Render, APIRequest } from "~/components";
 
 [Mutual TLS (mTLS)](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) adds an extra layer of protection to application connections by validating certificates on the server and the client. When building a SaaS application, you may want to enforce mTLS to protect sensitive endpoints related to payment processing, database updates, and more.
 
-[Minimum TLS Version](/ssl/edge-certificates/additional-options/minimum-tls/) allows you to choose a cryptographic standard per custom hostname. Cloudflare recommends TLS 1.2 to comply with the Payment Card Industry (PCI) Security Standards Council.
+[Minimum TLS Version](#minimum-tls-version) only allows HTTPS connections from visitors that support the selected TLS protocol version or newer. Cloudflare recommends TLS 1.2 to comply with the Payment Card Industry (PCI) Security Standards Council. As a SaaS provider, you can control the Minimum TLS version for your zone as a whole, as well as for individual custom hostnames.
 
-[Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). As a SaaS provider, you can [specify configurations for cipher suites](#cipher-suites) on your zone as a whole and cipher suites on individual custom hostnames via the API.
+[Cipher suites](#cipher-suites) are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). As a SaaS provider, you can specify configurations for cipher suites on your zone as a whole and cipher suites on individual custom hostnames via the API.
 
 :::caution
 When you [issue a custom hostname certificate](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) with wildcards enabled, any cipher suites or Minimum TLS settings applied to that hostname will only apply to the direct hostname.
@@ -27,22 +27,35 @@ However, if you want to update the Minimum TLS settings for all wildcard hostnam
 Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with a few clicks.
 
 :::note
-
 Currently, you cannot add mTLS policies for custom hostnames using [API Shield](/api-shield/security/mtls/).
-
 :::
 
 ## Minimum TLS Version
 
+:::note
+While TLS 1.3 is the most recent and secure version, it is not supported by some older devices. Refer to Cloudflare's recommendations when [deciding what version to use](/ssl/reference/protocols/#decide-which-version-to-use).
+:::
+
+### Scope
+
+- For custom hostnames created via API, it is possible not to explicitly define a value for `min_tls_version`. When that is the case, whatever value is defined as your zone's [minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) (under **Edge certificates** > **Minimum TLS Version**) will be applied. To confirm whether a given custom hostname has a specific minimum TLS version set, use the following API call.
+
+<Details header="Example: check custom hostname settings">
+
+In the API documentation, refer to [Custom Hostname Details](/api/resources/custom_hostnames/methods/get/).
+
+
+</Details>
+
+- If you specify any other settings for that custom hostname via Dashboard, whichever value is set for Minimum TLS version will then override your zo
+
+### Setup
+
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and website.
 2. Go to **SSL/TLS** > **Custom Hostnames**.
 3. Find the hostname to which you want to apply Minimum TLS Version. Select **Edit**.
 4. Choose the desired TLS version under **Minimum TLS Version** and select **Save**.
 
-:::note
-While TLS 1.3 is the most recent and secure version, it is not supported by some older devices. Refer to Cloudflare's recommendations when [deciding what version to use](/ssl/reference/protocols/#decide-which-version-to-use).
-:::
-
 ## Cipher suites
 
 For security and regulatory reasons, you may want to only allow connections from certain cipher suites. Cloudflare provides recommended values and full cipher suite reference in our [Cipher suites documentation](/ssl/edge-certificates/additional-options/cipher-suites/#resources).
