Skip to content
Visit Access on GitHub
Set theme to dark (⇧+D)

Application Paths

You can create unique rules for parts of an application that share a root path. When multiple rules are set for a common root path, they do not inherit rules. Instead, the more specific rule takes precedence. For example:

  • An example application is deployed at that anyone on the engineering team should be able to access.
  • Policy A restricts access to that path to members of the engineering team.
  • A tool deployed at that only the executive team should be able to access.
  • When using only policy A, this path inherits the rules from policy A and members of the engineering team can access that path. You can instead create a second policy, policy B, to restrict access to the executive team only.
  • When applying Policy B to, the more specific policy takes precedence. The /exec path is gated by policy B instead of relying on the rules in policy A.


You can configure an Application for an apex domain, a particular subdomain, or all subdomains using a wildcard rule. Similarly, you can apply an Access Application to an entire website or protect a specific path. When protecting the entire website, leave the path field empty. You specify paths, for example /admin, as well.

Policy Wildcards

Access does not support overlapping definitions. For example, when setting rules for /admin and /admin/specific separately, /admin/specific does not inherit the rule set for /admin. The more specific rule is enforced.

Access does not support port numbers in the URL. Requests to URLs with port numbers are redirected to the URL and the port numbers stripped.

Using wildcards in rules

You can secure any subdomain of the apex domain in Cloudflare Access by using a wildcard in the rule. Wildcard rules use an asterisk (*) in the Subdomain field in the Application Overview menu.

When using wildcards in rules, keep in mind that:

  • Using a wildcard in the Subdomain field does not cover the apex domain. That is, a wildcard rule that controls access using the format, *, covers and, but not You must create separate rules for the apex domain.

  • Using a wildcard in the Subdomain field does not cover multi-level subdomains. For instance, a wildcard rule like * would cover but not