[Workers] Add Cloudflare Access configuration docs#31730
Open
chythram05 wants to merge 4 commits into
Open
Conversation
chythram05
requested review from
a team,
GregBrimble,
MattieTK,
WalshyDev,
irvinebroque,
korinne and
vy-ton
as code owners
github-actions
Bot
assigned
GregBrimble,
irvinebroque,
MattieTK,
vy-ton,
WalshyDev and
korinne
Contributor
ReviewFan Out Code ReviewThis code review is in beta and may not always be helpful — use your judgment. Warnings (1)
Style Guide ReviewWarnings (1)
Suggestions (2)
CommandsOnly codeowners can run commands. Post a comment with the command to trigger it.
|
chythram05
requested review from
asamborski,
elithrar and
kennyj42
as code owners
kennyj42
approved these changes
Jun 26, 2026
| Access can protect one Worker's production `workers.dev` URL, preview URLs, or both. You can also protect all Workers or all Worker previews in an account. For setup instructions, refer to [Cloudflare Access](/workers/configuration/cloudflare-access/). | ||
|
|
||
| If your Worker relies on the signed-in user's identity, [validate the Access JWT](/workers/configuration/cloudflare-access/#use-signed-in-user-information-in-your-worker) in your Worker code. | ||
| If your Worker relies on the signed-in user's identity, [validate the Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#cloudflare-workers-example) in your Worker code. |
Collaborator
There was a problem hiding this comment.
There's two things here:
- Validate the JWT as a defense in depth in case Access ever gets removed and you want to guarantee unauth'd users can't reach your app
- Use the get-identity endpoint (also in that link) to access information about the authenticated user to use in your application
| ### Protect one hostname, Custom Domain, or path {/* dashboard-protect-one-hostname-custom-domain-or-path */} | ||
|
|
||
| You can also configure Access for Workers by creating an Access application with a Worker destination. | ||
| Use hostname-based Access when a specific URL that routes to your Worker should require sign-in. This can protect a `workers.dev` hostname, a Custom Domain, a subdomain, or a path. |
Collaborator
There was a problem hiding this comment.
This could probably use an explainer that referencing a Worker is the entire Worker vs. using a hostname based Access app is truly just that explicit hostname.
| - `preview_worker`: Protect one Worker's preview deployments only. | ||
| - `all_workers`: Protect every Worker's production and preview deployments. | ||
| - `all_preview_workers`: Protect every Worker's preview deployments only. | ||
| - `my-worker.example.workers.dev` |
Collaborator
There was a problem hiding this comment.
might be worth linking to our dev doc about protecting subdomains, paths and using wildcards
|
|
||
| | Policy option | Result | | ||
| | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | Cloudflare account | Allows members of this Cloudflare account to sign in. Use this option when access should be limited to people who already belong to the account. | |
Collaborator
There was a problem hiding this comment.
hyperlink to our broader policy explanation section in Access
- Tighten intro and section copy; fix heading casing and toggle label ordering - Split JWT guidance into defense-in-depth vs. reading user identity - Clarify hostname vs. whole-Worker protection scope - Link to Application paths and Access policies docs
Contributor
|
/full-review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new Workers configuration page for Cloudflare Access. The page explains how to require sign-in for all Workers, one Worker, preview deployments, and specific hostnames or paths.
Also links the new page from the Workers configuration index and adds dashboard screenshots for the Access setup flows.
Screenshots (optional)
Documentation checklist