I have used Cloudflare Pages for many months and now I would like to use it on a more important website in which the domain will be on the Pro plan with WAF and other benefits.
One thing that concerns me is that despite having custom domain name configured on Cloudflare Pages site, its direct URL (example.pages.dev) is still accessible to anyone. I know that the orange cloud will hide the origin URL but what if someone discovers the URL?
Is it possible to block direct access to Cloudflare Pages site and allow only Cloudflare’s IPs to access it? Otherwise paying for WAF for Cloudflare Pages site isn’t guaranteed that nobody would be able to bypass security. If Cloudflare is unable to natively achieve this for now, what options do I have to pull this off?