Prevent Direct access to pages.dev domain and only via main domain

Hello,

Someone started a discussion that was unanswered, but quite important for us. I will just copy & paste because this is exactly what we’re trying to achieve:

I have used Cloudflare Pages for many months and now I would like to use it on a more important website in which the domain will be on the Pro plan with WAF and other benefits.

One thing that concerns me is that despite having custom domain name configured on Cloudflare Pages site, its direct URL (example.pages.dev) is still accessible to anyone. I know that the orange cloud will hide the origin URL but what if someone discovers the URL?

Is it possible to block direct access to Cloudflare Pages site and allow only Cloudflare’s IPs to access it? Otherwise paying for WAF for Cloudflare Pages site isn’t guaranteed that nobody would be able to bypass security. If Cloudflare is unable to natively achieve this for now, what options do I have to pull this off?

Thanks.

On regular servers I authenticate Cloudflare or block the request

https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull

The problem is that the only way to restrict access to Pages is using Cloudfare Access and I am not sure if we are able to do that on access.

To be honest, I read about Cloudfare pages a while ago but just decided to have a go for a new project today and I am quite surprised that Pages doesn’t have a basic feature for that as it’s quite common/important for users to allow only requests coming from WAF/Cloudfare proxy and block direct access to it.

Hi there!

If you don’t need to access the site through your Pages subdomain at all, you can redirect visitors to your custom domain using Bulk Redirects.

If you still want the ability to access preview deployments, simply uncheck “Include subdomains”.

If you need help setting up Bulk Redirects, please take a look at the documentation.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.