Making it impossible to bypass CF Zero Trust

I have multiple apps running in AWS using API Gateway, load balancers etc.

I want to enable Cloudflare Zero Trust on those domains.
For each domain:

  • I have set the CNAME to point to the publicly available API Gateway / LB domain.
  • I have set the subdomain to be proxied via Cloudflare using Cloudflare DNS (orange cloud).
  • I have setup CF Access on that domain from the Zero Trust section.

Now when I hit each domain CF access is setup correctly.

However, the issue I have is that if I curl the publicly available API Gateway / LB domain passing in the application header I can bypass CF access and still see my private content.

Domain needing to be locked down:
API Gateway domain: DNS
Name: test
Proxy Status: Proxied

Zero Trust application
Set to proxy (all traffic).

Hitting via browser → CF Access Page - Expected result.

Bypass Cloudflare returns page content.

curl -H "Host:"

How can I make it impossible to bypass Cloudflare in this case?

This is related to your AWS configuration and not Cloudflare configuration.
Cloudflare is doing the DNS and the proxy, so it protects the access only through your domain. address is an AWS domain, so Cloudflare has nothing to do with protecting it.
What you have to do here is to set up some limitation that only Cloudflare public IP can reach you API Gateway resources. Most likely you’ll have to set up AWS WAF.

Thanks for the response.

allowlisting Cloudflare IPs will restrict access to my endpoint somewhat.

However, this leaves my network open to anyone who has a Cloudflare Account who can send requests via a Cloudflare IP.