The same JWT is passed to the origin for validation, and the 'client' in this case could throw it in

The same JWT is passed to the origin for validation, and the 'client' in this case could throw it in a cookie pot I suppose

Kkian The same JWT is passed to the origin for validation, and the 'client' in this ca...

dave•9/6/23, 6:59 PM

hmm, so could somebody take the JWT, and then use it on a server that doesn't have it's IP whitelisted by Cloudflare?

kianOP•9/6/23, 7:09 PM

You can take the cookie & remove the

CF-Access-Client-Id

CF-Access-Client-Id

and

CF-Access-Client-Secret

CF-Access-Client-Secret

headers.

Fernando Dilland•9/6/23, 7:17 PM

Does anyone know how to transfer a domain registered in Cloudflare register to another Cloudflare account?

kianOP•9/6/23, 7:17 PM

You can't

kianOP•9/6/23, 7:18 PM

You'd have to transfer it out to a different registrar, wait and transfer it to the other account

Ddave hmm, so could somebody take the JWT, and then use it on a server that doesn't ha...

Cyb3r-Jak3•9/6/23, 7:18 PM

Yeah you can stick JWT on requests. Which is why you should always validate JWT

CCyb3r-Jak3 Yeah you can stick JWT on requests. Which is why you should always validate JWT

dave•9/6/23, 7:19 PM

wait, seriously? So having a JWT will bypass all my Access rules?

Ddave wait, seriously? So having a JWT will bypass all my Access rules?

Cyb3r-Jak3•9/6/23, 7:20 PM

Oh sorry misread it. Access rules valid JWTs

CCyb3r-Jak3 Oh sorry misread it. Access rules valid JWTs

dave•9/6/23, 7:27 PM

if the JWT is valid but the IP isn't in my service auth list, it'll still fail right?

Ddave if the JWT is valid but the IP isn't in my service auth list, it'll still fail r...

Cyb3r-Jak3•9/6/23, 7:37 PM

Yeah the full access rule will be evaluated

Chaika•9/6/23, 7:39 PM

There's a table here for things that are checked at login vs checked continuously: https://developers.cloudflare.com/cloudflare-one/policies/access/#selectors

Access policies · Cloudflare Zero Trust docs

Cloudflare Access determines who can reach your application by applying the Access policies you configure.

Chaika•9/6/23, 7:40 PM

don't think there's anything unexpected in that though, basically just the login stuff isn't constantly checked, or external eval, because you would have to go through the flow again

Chaika•9/6/23, 7:42 PM

in the access app settings as well you can enable a "binding cookie" which associates the access token with the current "browser": https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/#binding-cookie

The Binding Cookie associates the browser with the Access token; the association protects against compromised authorization tokens because the origin webapp would never see this binding cookie. This protects against session hijack style attacks.

Kasumi•9/6/23, 9:56 PM

Does cloudflare preload from CF cache and then load small changes or so like blog things or so as soon as the page is loaded?

conqr ᯅ•9/7/23, 12:41 AM

Is the

host

host

parameter on Origin Rules locked behind a specific plan? I'm getting "not entitled to use the Origin Host override" when trying to edit it

kianOP•9/7/23, 12:41 AM

Yep, Enterprise

conqr ᯅ•9/7/23, 12:43 AM

Is there another way to internally rewrite something like

example.com/blog

example.com/blog

to another IP / host (like

blog.example.com

blog.example.com

)

kianOP•9/7/23, 12:44 AM

Workers can (100k reqs per day for free), Snippets will be able to (free, lightweight Workers but not yet available)

Kkian Workers can (100k reqs per day for free), Snippets will be able to (free, lightw...

conqr ᯅ•9/7/23, 12:50 AM

Workers Route right?

CChaika There's a table here for things that are checked at login vs checked continuousl...

dave•9/7/23, 1:37 AM

Thank you, exactly what I was looking for!

justaname•9/7/23, 2:15 AM

I have this really odd question if i got an api setup on something like test.com/api/endpoint can a domain like api.test.com/endpoint point twoards test.com/api/endpoint? is that something thats possible?

Kasumi•9/7/23, 5:08 AM

Could be possible I guess