Although it doesn't validate the backend certificate.

In some cases it doesn't even connect with TLS due to some connection issue with GitHub / fastly and you need to set it to flexible (no encryption). I wonder if this new forced HTTPS redirect will change/break that?

I haven't quite worked out the rules yet but some GH pages allow full TLS on CF (but not strict cert validation obviously) and some require flexible. I think org pages need flexible (plain HTTP) but project ones support HTTPS (if on a subdomain)?

This update may change all that so will need to experiment again. If it does break things then any new sites after the 15th may not be able to be made to work. If using a CF page rule or HSTS headers to permanently redirect to HTTPS then this could be a problem.

If that's what you are talking about, you can select "Full (strict)" in the SSL options to enforce origin certificate validation.

https://support.cloudflare.com/hc/en-us/articles/200170416-W...

But this doesn't work because the backend certificate is invalid (it covers *.github.io rather then example.com).

But you'd give cf that cname I think

Last time I tested this cloudflare validated using the domain name, not the cname.