The route from the user's browser to Cloudflare is encrypted (https), but the route between Cloudflare's servers and github pages is only http as Github does not support https for custom domains.
User <---https---> Cloudflare <---http---> Github pages
As long as your github page has https (it does) Cloudflare can do full HTTPS all the way through, and even strict to require a valid ssl cert (which github has).
Any tips on how to configure this? I'm pretty sure my setup has the problem that ploggingdev talked about.
I acknoledged the issue given, but considered it better that the content the user is accessing was hidden for their privacy - the link between Cloudflare and GitHub is backbone-of the internet stuff and has a whole different set of risks. Would be nice to plug it.
User <---https---> Cloudflare <---http---> Github pages