Web Development

Cloudflare Zero Trust & Security Essentials — Birdor Cloudflare Tutorial Series (Part 7)

A calm, practical guide to Cloudflare Zero Trust and essential security features. Learn how to protect applications, secure administrative interfaces, manage identity, enforce access control, and apply Cloudflare’s security layers effectively.

Leeting Yan 5 min read 957 words

Cloudflare is not only a CDN and global network — it is also a modern security platform. Cloudflare Zero Trust provides access control, identity verification, secure tunnels, traffic filtering, and threat mitigation without relying on traditional VPNs or complex infrastructure.

In this tutorial, we walk through the essential concepts, tools, and practical workflows that help you secure your sites, APIs, dashboards, and internal tools.

1. The Philosophy of Cloudflare Zero Trust

Traditional security models rely on the idea of a “trusted network.”
Cloudflare replaces this with a simpler principle:

Trust no request by default.
Validate identity and intent before granting access.

Cloudflare Zero Trust allows you to protect:

  • admin dashboards
  • internal tools
  • private APIs
  • deployment consoles
  • beta or staging environments
  • SSH and RDP access
  • Git hosting or dev tooling
  • anything behind a URL or port

No VPNs, no complicated firewall rules — just declarative, identity-based access policies.

2. Core Components of Cloudflare Security

Cloudflare’s Zero Trust stack includes:

2.1 Access

  • Identity-based access control for URLs and apps
  • Protect dashboards, staging sites, and APIs
  • Works with any identity provider

2.2 Warp Client

Securely routes traffic from devices to Cloudflare’s network.

2.3 Cloudflare Tunnel

Securely expose private services to the internet without opening firewall ports.

2.4 WAF (Web Application Firewall)

Filters malicious traffic at the edge:

  • SQL injection
  • XSS
  • bot attacks
  • scanning

2.5 Bot Management

Detects and blocks automated abuse.

2.6 Rate Limiting Rules

Throttle endpoints to prevent abuse and DDoS.

These features combine into a clean, manageable security model.

3. Identity Providers (IdP) Integration

Cloudflare supports:

  • Google
  • GitHub
  • GitLab
  • Microsoft
  • Okta
  • One-time PIN email
  • Custom OIDC / SAML providers

This means you can protect any resource using your team’s existing accounts.

Example use case:

  • Protect /admin with GitHub login
  • Only allow specific GitHub users or organizations

No custom auth code required.

4. Protecting an Application with Cloudflare Access

Cloudflare Access applies identity checks to URLs.

4.1 Step-by-step Setup

  1. Go to Zero Trust dashboard
  2. Navigate to Access → Applications
  3. Click Add an application
  4. Choose Self-hosted
  5. Enter the domain or path you want to protect
  6. Set up identity provider (GitHub, Google, etc.)
  7. Add an Access Policy (“Allow emails ending in @yourcompany.com”)
  8. Save and deploy

When users visit the protected path:

  • Cloudflare prompts for login
  • Identity is validated
  • Captured as cf-access-user-email header

This works even for static Hugo sites on Cloudflare Pages.

5. Using Access Policies for Granular Protection

You can secure:

5.1 Entire site

[https://admin.example.com](https://admin.example.com)

5.2 A single path

[https://example.com/admin/](https://example.com/admin/)*

5.3 API endpoints

[https://api.example.com/v1/private/](https://api.example.com/v1/private/)*

5.4 Wildcard subdomains

https://*.internal.example.com

Policies support:

  • emails
  • identity groups
  • IP allowlists
  • device posture
  • country restrictions
  • service tokens

The system is extremely flexible.

6. Using Service Tokens (No User Login)

For machine-to-machine traffic (no browser):

  • generate a service token
  • include it in request headers
  • Cloudflare validates automatically

Useful for CI/CD pipelines, backend services, or scripts.

7. Cloudflare Tunnel (Secure Access Without Opening Ports)

Cloudflare Tunnel lets you expose a local application to the world securely.

How it works:

  • install cloudflared on your server
  • run tunnel command
  • Cloudflare opens outbound-only connection
  • users access through Cloudflare without hitting your IP

No need for public IP or firewall changes.

Example:

cloudflared tunnel create myapp
cloudflared tunnel route dns myapp app.example.com
cloudflared tunnel run myapp

Great for:

  • private dashboards
  • staging servers
  • remote development environments
  • secure SSH access

8. WAF (Web Application Firewall)

Cloudflare’s WAF filters malicious traffic at the edge.

What it blocks:

  • SQL injection
  • cross-site scripting
  • request smuggling
  • path traversal
  • known attack signatures

For most static Hugo sites, enabling WAF with default settings is enough.

Located under:

Security → WAF → Managed Rules

Enable “Cloudflare Managed Rules” for general protection.

9. Bot Management & Threat Mitigation

Features include:

  • bot score analysis
  • challenge pages
  • JavaScript and behavior analysis
  • CAPTCHA alternatives (Turnstile)

Useful for stopping:

  • scraping
  • spam
  • automated registrations
  • credential stuffing

Even free plans include basic bot protection.

10. Rate Limiting Rules

Rate limit sensitive or expensive endpoints:

Examples:

Limit login attempts

Path: /api/login
10 requests per minute per IP

Protect external API proxies

Path: /api/github/*
100 requests per minute

Protect comment form endpoints

Path: /api/comments
5 writes per minute per user

Under:

Security → WAF → Rate Limiting Rules

11. Securing Hugo + Cloudflare Sites

Although Hugo sites are static, you may still want to secure:

Admin dashboards

Protect with Identity Access.

Contact or feedback forms

Protect with bot rules or service tokens.

API endpoints in Pages Functions

Add:

  • WAF
  • rate limiting
  • Access policies
  • Turnstile CAPTCHA

Preview branches

Restrict to team members only.

Cloudflare makes it easy to secure even small developer tools.

12. Device Posture & Conditional Access

Cloudflare can require device-level checks:

  • antivirus installed
  • OS version
  • “Warp” client connected
  • company-managed devices

These are mostly used in enterprise setups but remain optional.

13. Best Practices for Cloudflare Security

  • Always enable HTTPS
  • Turn on DNSSEC
  • Use Cloudflare Access for any admin or private tool
  • Rate-limit all write endpoints
  • Use Turnstile instead of CAPTCHAs
  • Avoid exposing server IP addresses
  • Use Cloudflare Tunnel for internal tools
  • Keep your DNS records proxied (“orange cloud”)
  • Enable WAF managed rules

This creates a strong, simple security foundation.

14. Troubleshooting

14.1 Getting locked out of Access?

Add fallback “Bypass” rules for emergency access.

14.2 Tunnel not working?

Check:

  • cloudflared authentication
  • correct DNS routing
  • service running

14.3 API requests blocked by WAF?

Add exceptions for safe endpoints.

14.4 Users seeing challenge pages?

Verify bot rules and Access policies.

15. Conclusion and What’s Next

In this chapter, we explored the essentials of Cloudflare security:

  • Zero Trust concepts
  • identity-based protection
  • tunnels for secure exposure
  • WAF and bot protection
  • rate limiting
  • service tokens
  • best practices for protecting APIs and admin areas

Cloudflare makes modern security both powerful and approachable — matching Birdor’s philosophy of clear, reliable developer tools.

Next chapter:
Cloudflare Tutorial Series — Part 8: The Cloudflare Performance Optimization Playbook

Keep Reading

Follow the engineering thread

Get the next practical Birdor note, or browse the archive for related systems, tooling, and architecture work.

Join newsletter Browse articles