Prevent direct access to Cloudflare Pages site

I have used Cloudflare Pages for many months and now I would like to use it on a more important website in which the domain will be on the Pro plan with WAF and other benefits.

One thing that concerns me is that despite having custom domain name configured on Cloudflare Pages site, its direct URL ( is still accessible to anyone. I know that the orange cloud will hide the origin URL but what if someone discovers the URL?

Is it possible to block direct access to Cloudflare Pages site and allow only Cloudflare’s IPs to access it? Otherwise paying for WAF for Cloudflare Pages site isn’t guaranteed that nobody would be able to bypass security. If Cloudflare is unable to natively achieve this for now, what options do I have to pull this off?


Try this:

Thanks. Using Cloudflare Access sounds promising but seems like it also blocks access via custom domain URL.

This is what I get when accessing the site using custom domain. Did I do anything wrong? (accessing the URL lands me at CF Access page as expected)


Drat. I wonder if @stonys is still around and chime in.

Guess not. Any suggestions? I mean my concern is quite basic. Just need a way to prevent security bypass.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.