Cloudflare Docs
Firewall Rules
Visit Firewall Rules on GitHub
Set theme to dark (⇧+D)

Require a specific cookie

To secure a sensitive area such as a development area, you can share a cookie with trusted individuals and then filter requests so that only users with that cookie can access your site.

Use the http.cookie field to target requests based on the presence of a specific cookie.

This example comprises two rules:

  • The first rule targets requests to dev.www.foo that have a specific cookie key, devaccess. As long as the value of the cookie key contains one of three authorized users, james, matt, or michael, the expression matches and the request is allowed.
  • The second rule blocks all access to dev.www.example.com.

Since the Allow action has precedence over Block, Cloudflare grants access to requests that satisfy Rule 1 and blocks all other requests to dev.www.example.com:

Execution orderExpressionAction
1(http.cookie contains "devaccess=james" or http.cookie contains "devaccess=matt" or http.cookie contains "devaccess=michael") and http.host eq "dev.www.example.com")Allow
2http.host eq "dev.www.example.com"Block