Restrict access to url using Access applications

Hi there !

I tried to restrict the access to a worker published on by setting up an Access Application ( Everything has been configured properly (rule, identity provider) and I can see the new app in the App launcher page, asking for credentials from my identity provider, but a direct access to the url is still possible without any protection. Any thoughts about what I could have missed?


So you’re not using this through a URL at your domain?

Does this mean that Access is working for the URL that you specified in Access?

You can shut off connections to the URL.

I will use a custom domain and shut off the access to, but on the application configuration screen you can also choose a url so I expected this to be working. If Access is not working properly with it should be fixed or removed from the configuration options. I tested with my own domain and it’s working fine.

Like many hostname-dependent features of Cloudflare, it doesn’t error-check to see if you’re typing in a valid subdomain. And if it were to not allow you to add an inactive workers subdomain, what do you suggest to happen if it was an active subdomain, then you deactivate it? Should that Access setting be deleted?

I think you don’t get me. On the screen below the “select a domain” dropbox is showing all you custom domains + “”. It appears that for some reasons a valid subdomain on is not protected by access, so I’m wondering if it’s a bug or a limitation.

But a valid domain on is protected by Access. If that URL is enabled. If that URL isn’t deployed, then it doesn’t resolve.

I must have something misconfigured. Little test:
-> this url is deployed
-> access is configured

but still not protected. If I shut off the publication and use a custom domain it will be protected.