Require Access protection
Cloudflare Access allows you to require Access protection for all hostnames in your account. When this setting is turned on, traffic to any hostname without a matching Access application is automatically blocked.
This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. Without this setting, a developer could deploy a new application or create a DNS record and inadvertently expose the resource before configuring an Access application.
-
Log in to the Cloudflare dashboard ↗ and go to Zero Trust > Access controls > Access settings.
-
Turn on Require Cloudflare Access Protection. You will see a dialog confirming you understand the scope of this change. Select Confirm.
Traffic to all hostnames in the account is now blocked unless an Access application exists for the hostname.
-
(Optional) Under Hostnames to Exempt, select specific domains to exempt from the Require Cloudflare Access Protection setting. Traffic to exempted hostnames is allowed even if no Access application exists.
To allow traffic to a hostname when Require Cloudflare Access Protection is turned on:
- Create an Access application for the hostname.
- Add an Allow policy to grant access to authorized users.
- (Optional) Add a Bypass policy if the hostname should be publicly accessible without authentication.
When a user attempts to access a hostname without an Access application, Cloudflare displays a block page with Error 1050: This resource is blocked by this account's Default-Deny policy. The user cannot proceed until an administrator creates an Access application for that hostname.