• How does Cloudflare Access evaluate tokens?

    Cloudflare Access signs JSON Web Tokens during the authentication flow and expects them in one of two places: a cookie in the browser and a custom authentication header.

    The cookie is titled CF_Authorization. The header value is cf-access-token.

  • I get an error saying “No ‘Access-Control-Allow-Origin’ header is present on the requested resource”

    Cloudflare Access requires that the “credentials: ‘same-origin’” parameter be added to JavaScript when using the Fetch API (to include cookies); without this AJAX requests will fail.

  • How can I make sure my origin server is not exposed to internet at all?

    To secure your origin, you must first enable Argo Tunnel or limit connections to your origin to only allow Cloudflare IPs and verify the JWT per the instructions here

  • Can I customize my domain by adding a logo from an http url?

    No. The image should be served from a https endpoint. For example http://www.example.com/upload/logo.png will not work. But https://www.example.com/upload/logo.png will work.

  • Can I use access to secure applications with second level subdomain URL?

    Yes. Make sure your SSL certificates cover the first and second level subdomain. Most certificates only cover the first level subdomain and not the second. This is true for most of the Cloudflare certs. To cover the second level with a CF cert you would select the “Custom Host names” options for Dedicated SSL.

    Wildcard-based policies in Cloudflare Access will only cover the level at which they are applied. You should add the wildcard policy to the left-most subdomain to be covered.

  • What is the order of policy enforcement?

    Access policies trigger in an order based on their position in policy table in the UI, with the exception of bypass policies - Access will evaluate bypass policies first.

    For allow and deny policies, Access will enforce the decision starting at the top of your list and moving down. You can modify the order by dragging and dropping individual policies in the UI.

  • How can I remove Access from my site?

    You can remove Cloudflare Access from your site by deleting all policies you have created for your application. To delete a policy, click on the ‘X’ button for that specific policy.

  • What browsers are supported?

    • Internet Explorer 11
    • Edge (Current release, last release)
    • Firefox (Current release, last release)
    • Chrome (Current release, last release)
    • Safari (Current release, last release)
  • Does the application behind Access need to use HTTPS?

    Yes; Cloudflare Access can only secure applications that use HTTPS.