My Cloudflare Access can be bypassed with hyperlinks

What is the name of the domain?

example.com

What is the issue you’re encountering

My Cloudflare Access can be bypassed with hyperlinks

What are the steps to reproduce the issue?

I’ve created a policy that includes only emails that end in @example.com which seem to work great whenever trying to directly access the example.com domain.

But after I create a simple hyperlink e.g.:

<a href="https://www.example.com">Enter</a>

And save it as .html run it and then press Enter. It will bypass the email requirement and the Cloudflare Access page all together and will take me straight to the index page.

How could this be happening?

Were you already logged-in via PIN code or?
What was the time-frame for the session set to?
Is domain behind Zero Trus App / Access?
How does your Acces Policy look like?

Were you already logged-in via PIN code or?
No

What was the time-frame for the session set to?
My application is set to 24h and the policy is set to ‘same as application’.

Is domain behind Zero Trus App / Access?
Yes? I believe so. Considering it does work when directly entering the domain.

How does your Acces Policy look like?

POLICY
Name: Email Requirement
Action: Allow
Session: Same as application session timeout

INCLUDE
Selector: Emails ending in
Value: Example.com

Thank you for feedback.

Have you tried reproducing the same by visiting such example.com URLs in a different Web browser or via Incognito Mode? :thinking: Access page still not triggered?

Chrome and Edge trigger the Access page when directly entered but bypass it when hyperlinked.

While Opera, Firefox and Safari seem to be able to bypass it either way…

I tried incognito mode but the results were the same.

I found the issue: the access page simply didn’t trigger when visiting example.com, but it did when using www.example.com. Although I’m confident I never actively typed www.* in any of the browsers but whatever. Anyway, I created a page rule, forwarding example.com to www.example.com, which solved the problem. :tada:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.