Authenticated Origin Pulls per Client

@sdayman Yes, I saw the Cloudflare Access, but although I’ve said “I”, it can actually be more people to access (few people tough). $3 per user is a bit to much, and in any case the block by Ip seems enough for me.

About the header not being overriden, I tought so too, although in the article it doesn’t clarify about that, but allowing any domain to rewrite the host header seems like a security issue to me and I think is more plausible that the rewrite is limited to domains in the account, like you said.

On the other hand, what @KentonVarda stated seems to relate to Resolve Override, not to Host Header Override. I see both of them in the Page Rules Article (you can search for any of them, they’re together in the Enterprise plan), so I guess they’re different things.

In any case, I will consider that a Cloudflare user isn’t able to send a request directly to my domain with my domain in the Host header, and will mark your answer as the solution, but it would be great some official information that changing the Host header to a Cloudflare domain in another account is really not possible.