Cloudflare Access Control¶
Cloudflare Access can restrict the site without adding application code, accounts, a database, or a custom login system.
Recommended First Policy¶
Start with an allow-list of specific email addresses.
Use:
- Cloudflare Access
- One-time PIN login
- an allow policy for named email addresses
This keeps the first sharing model simple: only invited readers can request a code and view the site.
Setup Steps¶
- Open Cloudflare Zero Trust.
- Add or confirm the One-time PIN identity provider.
- Create a self-hosted Access application for the Pages hostname, such as
ai-education-guides.pages.dev. - Add an allow policy.
- Include specific reader email addresses.
- Test from a private browser window before sharing the link.
Other Login Options¶
Cloudflare Access can also use:
- Google login
- GitHub login
- Microsoft Entra ID
- email domain restrictions, such as
@example.com - specific GitHub organisations or teams, if GitHub identity is configured
Recommended Progression¶
| Stage | Access model | When to use |
|---|---|---|
| First publish | Specific email allow-list with OTP | Small set of known readers. |
| Wider trial | Email domain allow-list | A trusted organisation or cohort. |
| Team use | Google, GitHub, or Microsoft identity provider | Ongoing readers with identity groups. |
| Public release | Remove Access or add public policy | Material is ready for open publication. |
Notes¶
- Blocked users will not receive a usable one-time PIN.
- Keep the Pages project public only if the content is intended for anyone with the URL.
- Keep confidential examples out of the site even when Access is enabled.