My Cloudflare Access can be bypassed with hyperlinks
What are the steps to reproduce the issue?
I’ve created a policy that includes only emails that end in @example.com which seem to work great whenever trying to directly access the example.com domain.
But after I create a simple hyperlink e.g.:
<a href="https://www.example.com">Enter</a>
And save it as .html run it and then press Enter. It will bypass the email requirement and the Cloudflare Access page all together and will take me straight to the index page.
Were you already logged-in via PIN code or?
What was the time-frame for the session set to?
Is domain behind Zero Trus App / Access?
How does your Acces Policy look like?
Have you tried reproducing the same by visiting such example.com URLs in a different Web browser or via Incognito Mode? Access page still not triggered?
I found the issue: the access page simply didn’t trigger when visiting example.com, but it did when using www.example.com. Although I’m confident I never actively typed www.* in any of the browsers but whatever. Anyway, I created a page rule, forwarding example.com to www.example.com, which solved the problem.