cloudflare · ngayerie · Oct 22, 2025
@@ -23,13 +23,17 @@ Note that:
 - You cannot set specific TLS 1.3 ciphers. Instead, you can [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use all applicable [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/).
 - Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in [**SSL/TLS** > **Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates).
 - It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](/pages/) hostnames.
-- If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard).
 - If you use Windows you might need to adjust the `curl` syntax, refer to [Making API calls on Windows](/fundamentals/api/how-to/make-api-calls/#making-api-calls-on-windows) for further guidance.
 
 :::note
 Updating the cipher suites will result in certificates being redeployed.
 :::
 
+:::warning
+If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard).
+Applying a per-hostname configuration on a wildcard certificate will result in the configuration being applied to all hostnames!
+:::
+
 ## Steps and API examples
 
 1. Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection).