Someone started a discussion that was unanswered, but quite important for us. I will just copy & paste because this is exactly what we’re trying to achieve:
I have used Cloudflare Pages for many months and now I would like to use it on a more important website in which the domain will be on the Pro plan with WAF and other benefits.
One thing that concerns me is that despite having custom domain name configured on Cloudflare Pages site, its direct URL (example.pages.dev) is still accessible to anyone. I know that the orange cloud will hide the origin URL but what if someone discovers the URL?
Is it possible to block direct access to Cloudflare Pages site and allow only Cloudflare’s IPs to access it? Otherwise paying for WAF for Cloudflare Pages site isn’t guaranteed that nobody would be able to bypass security. If Cloudflare is unable to natively achieve this for now, what options do I have to pull this off?
The problem is that the only way to restrict access to Pages is using Cloudfare Access and I am not sure if we are able to do that on access.
To be honest, I read about Cloudfare pages a while ago but just decided to have a go for a new project today and I am quite surprised that Pages doesn’t have a basic feature for that as it’s quite common/important for users to allow only requests coming from WAF/Cloudfare proxy and block direct access to it.