Cloudflare Zero Trust and its Access policies allow for a powerful security setup.
One can proxy a domain through the Cloudflare network and only actors that meet certain policies may access the service.
A custom domain registered with Cloudflare can also be configured on the Digital Ocean App Platform. This allows request to be routed through the Cloudflare Zero Trust network.
However, since the "starter domain" is always generated and cannot be disabled, one can bypass the Cloudflare Zero Trust network if the generated "starter domain" is known.
The "starter domain" cannot be registered with and proxied by Cloudflare.
Therefore, we need to be able to
  • disable the starter domain entirely (preferred option)
  • or configure redirects from the starter domain to a custom domain (redirects are supported but only "paths" can be redirected)
  • or setup firewall rules that deny access on the starter domain
  • or in any reliable way detect when a request is _not_ made from a custom domain; i.e. the App Platform proxy ensures with 100% certainty that, say, an HTTP header is set. It furthermore ensures that the header cannot be overridden by the client (the requester). The service behind the proxy can evaluate the header and detect if a request was not issued via the custom domain, and in this case, drop the requeset.
Just some of the ideas that come to mind.
Disabling the starter domain or redirecting request from the starter domain to the custom domain would be the most convenient (and probably most secure) options.
We are open for any idea that may help in this scenario.
Many thanks in advance and best regards,
Lukas