Cloudflare origin protection guide
This guide helps teams reduce origin bypass risk by reviewing exposed origin IPs, DNS records, firewall allowlisting, Authenticated Origin Pulls, Host header and SNI behavior, origin rules, and emergency access requirements.
This guide helps teams reduce origin bypass risk by reviewing exposed origin IPs, DNS records, firewall allowlisting, Authenticated Origin Pulls, Host header and SNI behavior, origin rules, and emergency access requirements.
Topics: cloudflare, resource, cloudflare, origin, protection, guide
Machine-readable context: /ai-index.json
Step by step
Implementation steps
- 1
Inventory every origin behind Cloudflare — web servers, load balancers, API backends, and admin hosts — and record their public IP addresses, hostnames, and which proxied records point to them.
- 2
Test direct reachability: attempt to reach each origin IP and hostname from outside Cloudflare to confirm whether traffic can bypass the edge today.
- 3
Review DNS history and exposed records for leaked origin IPs, DNS-only (grey-cloud) records, mail and FTP subdomains, and old A records that still resolve to the origin.
- 4
Restrict the origin firewall to Cloudflare's published IP ranges so only edge traffic is accepted, and plan to rotate origin IPs that have already been exposed publicly.
- 5
Enable Authenticated Origin Pulls so the origin only accepts TLS connections presenting Cloudflare's client certificate, closing the gap if an IP allowlist is ever incomplete.
- 6
Verify Host header and SNI handling at the origin, and use Origin Rules to set the correct Host header, SNI, destination port, or DNS override where virtual hosting or non-standard ports are involved.
- 7
Define emergency and maintenance access paths — break-glass IPs, deploy pipelines, monitoring probes — so hardening does not lock out legitimate operations.
- 8
Validate the hardened state end to end, then document the allowlist, certificate, and Origin Rules configuration so it survives infrastructure changes.
Risk register
Risks to control
The origin IP is already public in DNS history or certificate logs, so allowlisting alone does not hide it.
Rotate exposed origin IPs after allowlisting, and rely on Authenticated Origin Pulls so a known IP still cannot be reached without Cloudflare's client certificate.
Cloudflare IP allowlisting is incomplete or goes stale as ranges change, letting some edge traffic fail or some direct traffic through.
Allowlist the full published Cloudflare ranges, automate their refresh, and layer Authenticated Origin Pulls so the firewall is not the only line of defence.
A DNS-only record or a non-web subdomain (mail, ftp, vpn) still resolves straight to the origin.
Audit every record's proxy status, move what can be proxied behind the edge, and protect or relocate services that cannot be proxied.
Host header or SNI mismatches break the site when traffic is forced through the edge.
Test virtual-hosting and certificate behaviour per origin and use Origin Rules to set Host header, SNI, and destination port before tightening the firewall.
Hardening locks out deploys, health checks, or emergency admin access.
Enumerate legitimate non-edge access — CI/CD, monitoring, break-glass — and provision controlled paths for them before closing the firewall.
Authenticated Origin Pulls is enabled without the origin actually validating the client certificate.
Confirm the web server is configured to require and verify Cloudflare's client certificate, and test that connections without it are refused.
Output
Useful deliverables
- Origin inventory listing every backend, its public IP and hostname, and the proxied records pointing to it.
- Direct-reachability test results showing which origins can currently be bypassed.
- DNS exposure review covering leaked IPs, DNS-only records, and non-web subdomains that resolve to the origin.
- Origin firewall allowlist plan for Cloudflare IP ranges, including IP rotation for already-exposed origins.
- Authenticated Origin Pulls configuration and verification that connections without the client certificate are refused.
- Origin Rules for Host header, SNI, port, and DNS override where virtual hosting or non-standard ports apply.
- Emergency and maintenance access plan plus documented final-state configuration for the hardened origins.
Keep reading
Related resources
FAQ
Frequently asked questions
Common questions teams ask when putting this resource into practice.
Isn't proxying through Cloudflare enough to protect the origin?
No. Proxying hides the origin only if the origin IP is unknown and unreachable directly. If the IP is leaked or guessable, attackers connect straight to it and bypass every edge control. Allowlisting Cloudflare IPs and enabling Authenticated Origin Pulls force traffic through the edge.
What is Authenticated Origin Pulls and why use it alongside IP allowlisting?
Authenticated Origin Pulls makes the origin require Cloudflare's client TLS certificate on every connection. It complements IP allowlisting: even if the firewall ranges are incomplete or a connection comes from an allowlisted-but-untrusted source, the origin still refuses traffic that does not present the certificate.
My origin IP is already public. Does hardening still help?
Yes, but allowlisting alone is weaker once an IP is known. Rotate the origin IP after allowlisting where possible, and lean on Authenticated Origin Pulls so the exposed IP cannot be used without Cloudflare's certificate.
Will Origin Rules be needed?
Often, where the origin uses virtual hosting, expects a specific Host header or SNI, or listens on a non-standard port. Origin Rules let you set Host header, SNI, destination port, and DNS override per matching request so traffic reaches the right backend after hardening.
Nanosek
Harden your origins
Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.