Publish a self-hosted application to the Internet
You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server.
This guide covers how to make a web application accessible to anyone on the Internet via a public hostname. If you would like to make the application available over a private IP or hostname, refer to Add a self-hosted private application.
- An active domain on Cloudflare
- Domain uses either a full setup or a partial (
CNAME
) setup
-
In Zero Trust ↗, go to Access > Applications.
-
Select Add an application.
-
Select Self-hosted.
-
Enter any name for the application.
-
In Session Duration, choose how often the user's application token should expire.
Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to Session management.
-
Select Add public hostname.
-
In the Domain dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use wildcards to protect multiple parts of an application that share a root path.
Alternatively, to use a Cloudflare for SaaS custom hostname, set Input method to Custom and enter your custom hostname.
-
(Optional) Configure Browser rendering settings:
-
Add Access policies to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
-
Configure how users will authenticate:
Select the Identity providers you want to enable for your application.
(Recommended) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event.
- (Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.
-
Select Next.
-
(Optional) Configure App Launcher settings for the application.
-
Under Block page, choose what end users will see when they are denied access to the application:
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
That account does not have access
, or you can enter a custom message. - Redirect URL: Redirect to the specified website.
- Custom page template: Display a custom block page hosted in Zero Trust.
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
-
Select Next.
-
(Optional) Configure advanced settings:
- Cross-Origin Resource Sharing (CORS) settings
- Cookie settings
- 401 Response for Service Auth policies: Return a
401
response code when a user (or machine) makes a request to the application without the correct service token.
-
Select Save.
Set up a Cloudflare Tunnel to publish your internal application. Only users who match your Access policies will be granted access.
If your application is already publicly routable, a Tunnel is not strictly required. However, you will then need to protect your origin IP using other methods.
To secure your origin, you must validate the application token issued by Cloudflare Access. Token validation ensures that any requests which bypass Cloudflare Access (for example, due to a network misconfiguration) are rejected.
One option is to configure the Cloudflare Tunnel daemon, cloudflared
, to validate the token on your behalf. This is done by enabling Protect with Access in your Cloudflare Tunnel settings. Alternatively, if you do not wish to perform automatic validation with Cloudflare Tunnel, you can instead manually configure your origin to check all requests for a valid token.
Users can now connect to your self-hosted application after authenticating with Cloudflare Access.
When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application.
However, the following products are not supported:
You can disable Zaraz for a specific application - instead of across your entire zone - using a Configuration Rule scoped to the application domain.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-