Disable route access to Cloudflare Pages via the *.pages.dev domain

The problem is I want to protect my Cloudflare Pages site from being accessed by any URL that isn’t my custom domain. For example, I deploy my staging website to Cloudflare Pages and make it accessible via staging.mycompany.com. I set up a Cloudflare Firewall rule to restrict access to my staging site, but from what I can tell Cloudflare Firewall rules don’t apply to my *.pages.dev URLs (even if it did, I am unsure this is the right solution). Therefore, I am now leaking my staging website to the Internet. Not what I want.

Current solution
There are lots of posts about this already with a range of varying “solutions”, including using Zero Trust Access or Bulk Redirects with, in my opinion, only Bulk Redirects solving the entire problem. Although there were a lot of posts about this issue, none were made in the Feature Request section and were therefore automatically closed and I worry falling off Cloudflare’s radar.

Zero Trust Access can only restrict access to *..pages.dev and not .pages.dev, while still allowing access via a custom domain.

Bulk Redirects do work, but feels like a long-winded/hacky way to get to a solution.

Proposed solution
Currently in Cloudflare Workers you have the ability to set a custom domain and disable your *.workers.dev route. This would be ideal for Pages to also have a similar switch that says either enable or disable traffic to this “auto-assigned route”.

Hopefully this feedback is well received and any questions please let me know!


For now, as you already mentioned bulk redirects or access are the solution (also note, you can protect the pages.dev - see here: https://developers.cloudflare.com/pages/platform/known-issues/#enabling-access-on-your-pagesdev-domain – it’s awkward and we don’t like/recommend it but it’s possible).

We know people want to just remove the pages.dev however that isn’t possible right now. We do have work planned to resolve this issue (what that looks like remains to be seen). No ETA of course but know it is on our minds.

1 Like

We have create APIs with Cloudflare Pages Functions
We can protect api with Cloudflare Rate Limiting for custom domain but can’t protect [app].pages.dev
Using Bulk Redirects for this case is not enough.

what if you set your project name to a randomly-generated UUID?

0% probability that anybody ever finds something like cec60a5c-a17d-4d4f-9452-743f5b3e11d8.pages.dev

1 Like

I have tested this approach and it works. Thank you.