When adding an Application to gain zero trust protection, if there is some misconfiguration (eg the name of the Application URI does not match with the DNS record due to a typo or omission) then access is by default allowed. So it can fail insecurely.
I propose that a new ingress configuration property is implemented which when present requires that the request has been secured via Access. The new configuration property would be optional and default to false to give backwards compatibility.
Any tunnel with this configuration property set (either at top level or origin-specific level) would then fail safe.