Wouldn't that either cost money or only secure the connection from the client to cloudflare?

From what I understand (and I admit, my knowledge is pretty lacking around what cloudflare offers) the free part is only the security between the client and cloudflare (and not the security between cloudflare and your server).

On one hand it's better than nothing as I assume most MITMs are on local wifis and such but on the other it gives users a false sense of security.

Then again none of this is of actual concern for node.green

> From what I understand (and I admit, my knowledge is pretty lacking around what cloudflare offers) the free part is only the security between the client and cloudflare (and not the security between cloudflare and your server).

The free plan also supports securing the connection between CloudFlare and your server.

Yeah, the free version is HTTPS only between client and CF.

I made my blog hosted on Github HTTPS with this, mainly so that I can experiment some features like Service Workers.

Source? Last time I used it you could encrypt both hops (although you obviously need to tell CF to ignore the cert mismatch for backend server).

Yes, I use free CF with both hops encrypted. There's no way for my visitors to know this though. IMO CF should require both hops be encrypted.

They are both encrypted but since you can't verify the "server" certificate it is vulnerable to MITM.

It's a static site. Security between cloudflare and client seems like plenty

client <-> cloudflare and cloudflare <-> server are the same.

Not necessarily true in the case of government intervention