Simple Cloudflare access setup with OTP

Trying to secure a folder on a website using Cloudflare access. I created a group defined by 3 different emails. Then created a policy for my app to Allow and Requires that group. It seems that when I access that folder and am prompted for an email address to send the OTP to - I can successfully send OTP’s to ANY email address and logging to through Cloudflare Access to my folder.

I must be missing something…but it sure seems like the default should DENY anyone not in the policy.

Do I need to also create a Policy to BLOCK/DENY everyone else?

Have you confirmed the address you entered not in the policy actually received an email with an OTP code?

Yes. I can send OTP codes to ANY email outside of the policy and receive the email. I can then take this OTP and successfully login to my “secured” app.

App Policy is setup to REQUIRE Group. Group is setup to REQUIRE email. I have 3 emails setup in the GROUP require area. Fortunately I decided to test an “outside” email not in this group and quickly discovered this is not secure.

You should remove the rule which is set to require OTP and use just the group. The separate rule for require OTP is a separate rule from the require group and as implemented has no constrains on who can log in and match that rule.


Nope. Still same issue. What am I missing?

Remove this from your existing rule and assign the group or a specific email or whatever.

Removed… but now getting a Cloudflare: Forbidden - You do not have permission to view this page - page when I visit my hosted app.

I tried starting over…deleted app. created new policy. no luck.

Frustrated. This COULD be easy to implement. However, it isn’t working as I would expect.

How about posting a video of “How to setup Cloudflare Access for self-hosted application” ? Would like to see a walk-thru for a simple use case. I would love to use this for all of my websites admin tools.

Ok. Started completely over and ONLY did a “REQUIRE” email only. Seems to work.

This product could use some feedback… A bunch of things not very clear through the UI. Many bugs and inconsistencies within the interface.

Add an application | Self Hosted (Select) |

Application Configuration
Application Name: Demo
Session Duration (something more than no duration unless you are using service auth exclusively).
Application domain: foo
Domain: Select one of your domains
Optional: Include a path - else it covers *
Identity Provider: Select One Time Pin (for this scenario)
Click Next
Rule name: Default | Rule Action Allow
Create additional rules
Include | Select emails |
Click Next
Click Add application.