I’m using Cloudflare Zero Trust and am hosting an internal app. I have a number of webhook that need to be exposed externally, but the IP address that will be posting to the webhook is dynamic and changes.
So I am unable to lock it down to a specific IP or range. Other than having “Everyone” access to
domain.com/webhooks/* what else can I do to reduce the attack surface?
as far as I understand, the Access Service Tokens works as the first step of authentication. If your brower has configured with the Tokens, that means only you have permission to go to the secend step of authentication: One-time PIN or other SSO from other Identity providers. For webhook we need no extra authentication steps just one GET from brower. The Access Service Tokens is probablly not the right solution.