Introduction
If you have a website, an admin panel or any private resource online, you've probably asked yourself: "How do I make sure only I can access it?"
The traditional answer is IP whitelisting or VPN — complicated, expensive and hard to maintain. There's a better way: Cloudflare Zero Trust, and the free plan is more than enough for most use cases.
In this guide I'll show you how to protect any URL on your site so that only authorized emails can access it — with zero server configuration required.
What is Zero Trust?
Zero Trust is a security model based on one principle: never trust, always verify. Instead of assuming that anyone inside your network is safe, every request must be authenticated — regardless of where it comes from.
Cloudflare Zero Trust puts a login wall in front of any resource you want to protect. Nobody reaches your app until they prove who they are.
Prerequisites
Before we start, make sure you have:
A domain managed on Cloudflare (DNS pointing to Cloudflare)
A Cloudflare account (free plan is enough)
A website or app already deployed (Vercel, VPS, or any host)
*Step 1 — Access Cloudflare Zero Trust
*
Log in to cloudflare.com
From the left sidebar click Zero Trust
If it's your first time, Cloudflare will ask you to create a team name — choose something like nexdam or your brand name
*Step 2 — Create an Access Application
*
Go to Access → Applications
Click Add an Application
Select Self-hosted tab, then click DNS pubblico and Continue
Now fill in the details:
FieldValueApplication nameAdmin Panel (or whatever you want to protect)DomainSelect your domain from the dropdownPathpages/admin (the path you want to protect)
Click Next.
**Step 3 — Create an Access Policy
**This is where you define who can access the resource.
Click Create new policy
Fill in:
FieldValuePolicy nameAdmin OnlyActionAllowSelectorEmailsValueyour@email.com
Click Save policy
Scroll down, name your application and click Create
**Step 4 — Test It
**Open an incognito window and navigate to your protected URL, for example:
https://yourdomain.com/pages/admin
You'll see a Cloudflare login screen asking for your email. Enter the authorized email — Cloudflare sends a one-time code to verify it's really you. Enter the code and you're in.
Anyone else who tries to access that URL gets blocked — they don't even see your app.
**Step 5 — Add Multiple Emails (Optional)
**Need to give access to a teammate? Go back to your policy and add more email:
example@nexdam.it
You can also use email domains to allow everyone from a company:
Selector: Email domain
Value: nexdam.it
This allows anyone with a @nexdam.it email to access the resource.
How It Works Under the Hood
User visits protected URL
↓
Cloudflare intercepts the request
↓
Is the user authenticated? → No → Show login screen
↓ Yes
Does the user match the policy? → No → Block
↓ Yes
Allow access to the application
The best part: your server never receives unauthorized requests. Cloudflare blocks them at the edge, before they even reach your infrastructure.
Why Zero Trust Instead of Password Protection?
MethodSecuritySetupCost.htpasswdLowMediumFreeIP whitelistMediumHardFreeVPNHighVery hardExpensiveCloudflare Zero TrustHighEasyFree
Zero Trust wins on every front for small teams and personal projects.
Conclusion
In less than 10 minutes you've added enterprise-grade access control to your website — for free. No server configuration, no VPN, no complicated setup.
Cloudflare Zero Trust is one of the most powerful tools available on the free plan, and it's criminally underused by developers and small businesses.
Need help configuring Cloudflare for your infrastructure? At NexDam we handle everything — from DNS setup to Zero Trust policies and full cybersecurity hardening.
👉 nexdam.it — Get in touch today.
Tags: cloudflare security webdev devops tutorial
Top comments (0)