Cloudflare Access is a powerful way to add authentication to your Web Applications without managing the code or complexity yourself. With one click, you can protect your site (or a section of it) to restrict access to your team. Cloudflare works at the edge and Access authenticates your visitors with minimal latency and industry-leading reliability in over 150 data centers around the world.
To secure your origin, you must enable Argo Tunnel or limit connections to your origin to only allow Cloudflare IPs and verify the JWT per the instructions here. Additional details are provided in Step 2 below.
Your access policy defines who can visit your site. For example, most teams want to restrict development tools and staging sites to just the users who work at your company. To do that, simply set a policy that requires users have a corporate email address (i.e. ‘@company.com’).
You can also limit permissions to individual users or create custom groups.
Create your Policy by visiting the Access section of the Cloudflare documentation and clicking ‘Create Access Policy’.
Now that you have edge-based access control, it’s important that no one can access your origin directly. This is not just valuable for Access; it also ensures that your origin is always protected by Cloudflare’s denial of service and attack protection.
There are several options for securing your origin:
Lock down the origin server to only accept traffic from Cloudflare IP’s. This can be done in your web server’s configuration.
Validate that all requests contain the Cloudflare client certificate.
In addition to securing the application with Cloudflare Access, it is recommended to verify the JWT tokens set by Access. Refer to the page Validating JWT Tokens for more details.
Use Cloudflare Argo Tunnel to connect your origin server directly to Cloudflare without exposing it to external connections from the Internet.
In some cases, a user of your application can log out of Cloudflare Access, refresh the page, and load content cached in their browser. You can disable browser caching for your origin to prevent users from loading content cached in their browser after logout.