Restricting only specific pages with Zero Trust

mcgill.choral · April 23, 2025, 5:09pm

What is the name of the domain?

mcgillchoral.ca

What is the issue you’re encountering

Putting specific pages behind Zero Trust doesn’t work. If I setup ZT for 5 pages (mcgillchoral.ca/internal, mcgillchoral.ca/sales etc) and then navigate to them from a fresh device, I get the Cloudflare email challenge corresponding to my Allow policy. However, if I browse the website first and then go to /internal, I can see the content of the page without any authentication.

What steps have you taken to resolve the issue?

Temporarily put a site-level password in Wordpress on the affected 5 sites.

What are the steps to reproduce the issue?

Create an application and policy for domain/path. Go to example.com/secretsite (you should see cloudflare challenge). Then go to example.com first, browse the website and then go back to example.com/secretsite. You can see the contents of secretsite without cloudflare challenge.

Screenshot of the error

cscharff · April 23, 2025, 6:36pm

Your site redirects to www and https://www.mcgillchoral.ca/internal/ doesn’t match https://mcgillchoral.ca/internal/ for the Access policy.

mcgill.choral · April 23, 2025, 7:09pm

Thank you, you are 100% correct, I totally forgot about the redirect rule.

system · April 25, 2025, 7:10pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare Pages Zero Trust Access Access	2	1274	April 7, 2023
Zero Trust Access enforced for custom domain of Pages but not *.pages.dev domain Zero Trust	1	97	August 1, 2024
Zero Trust Access Access rule applies which has not been set Access	4	343	May 10, 2024
Zero Trust questions Access	0	1533	June 21, 2022
Noob question: Zero trust - 1 rule to allow a specific ip to bypass block Access	3	1495	April 6, 2025