Self hosted application authentication with Zero Trust
Hello. I'm trying to do authentication on my self hosted application with Zero Trust. If I just read
Cf-Access-Authenticated-User-Email and authenticate the user that way, is it secure enough? Or it's better to manually validate the JWT token server side? Thank you3 Replies
Support AI
According to the documentation, simply reading the
Cf-Access-Authenticated-User-Email header is not sufficient for security.
As stated in the documentation (https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/application-token/), "Validation of the header alone is not sufficient — the JWT and signature must be confirmed to avoid identity spoofing."
Therefore, it is recommended to manually validate the JWT token server-side to ensure the security of your origin. This involves verifying the token's signature and payload to confirm its authenticity.Sources
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
https://community.cloudflare.com/t/securing-a-single-page-application-spa-behind-cloudflare-access/210484/2
So this forum post is wrong?
It says the email header is sufficient for security
@Nikolas so u are trying to make a zero trust login application