Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
GitHub icon
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Zero Trust
  3. ...
  4. Add web applications
  5. Self-hosted applications

Add a self-hosted application

Cloudflare Access allows you to securely publish internal tools and applications to the Internet by providing an authentication layer between the end user and your origin. You can use signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can access your application.

Cloudflare Access authenticates users to your internal applications.

​​ Prerequisites

​​ 1. Add your application to Access

  1. In Zero Trust, go to Access > Applications.

  2. Select Add an application.

  3. Select Self-hosted.

  4. Enter any name for the application.

  5. Choose a Session Duration. The session duration determines the minimum frequency for which a user will be prompted to authenticate with the configured IdP. If you want users to re-authenticate every time they reach your application, select No duration, expires immediately.

  6. In Application domain, enter the hostname that will represent the application.

    • The hostname must belong to an active zone in your Cloudflare account. You can either select a domain from the dropdown or enter a custom domain that you control.
    • You can use wildcards to protect multiple parts of an application that share a root path.

  7. (Optional) If you want the application to be visible in the App Launcher:

    1. Select Enable App in App Launcher. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher.
    1. To add a custom logo for your application, select Custom and enter a link to your desired image.

  8. In the Identity Providers card, select the identity providers you want to enable for your app.

  9. (Optional) Turn on Instant Auth if you selected only one IdP and want users to skip the identity provider selection step.

  10. Select Next.

​​ 2. Add an Access policy

You can now configure an Access policy to control who can connect to your application.

  1. Enter any name for your rule.

  2. Specify a policy action.

  3. Assign Access groups to reuse existing rules, or create new rules. You can add as many include, exception, or require statements as needed.

  4. (Optional) Customize the login experience for users who match this policy:

  5. Select Next.

​​ 3. (Optional) Configure advanced settings

You can configure the following advanced settings for your application:

To finish configuring the application, select Add application.

​​ 4. Connect your origin to Cloudflare

Next, set up a Cloudflare Tunnel to make your internal application available over the Internet.

​​ 5. Validate the Access token

To secure your origin, you must validate the application token issued by Cloudflare Access.

One option is to configure the Cloudflare Tunnel daemon, cloudflared, to validate the token on your behalf. This is done by enabling Protect with Access in your Cloudflare Tunnel settings. If you do not wish to use Cloudflare Tunnel, you can manually configure your origin to check all requests for a valid token.

Users can now connect to your self-hosted application after authenticating with Cloudflare Access.