Replies: 1 comment 1 reply
-
Do you have documentation on the CSP params? It doesn't make any sense to me that Cloudflare Access would require changes to the CSP unless they are injecting scripts into the app… If that's the case then almost every application with reasonable security precautions would fail. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We're using Outline for our internal wiki system but have it hosted behind Cloudflare Access as we have team members across the globe.
For it to work behind Cloudflare Access some CSP connect params need adding such as the
subdomain.cloudflareaccess.com
and changes to theApiClient.js
fetch request to send credentials: "same-origin", instead of "omit". See: https://developers.cloudflare.com/access/setting-up-access/cors/#troubleshootingI know this might be super edge case. Normally we'd just use an IP restriction however one of our team members is unable to get a static ip address from his ISP and his IP changes daily. I understand the Google login domain can be locked down to a specific
@domain.tld
extension as well, that would solve this however we'd still like it locked down so the subdomain cannot be reached unless authenticated via Cloudflare first.Proposed feature request/changes:
Move CSP/CORS related values to ENV_VARS or allow additional values to be injected just like the
AWS_S3_UPLOAD_BUCKET_URL
and control over thecredentials
variable for fetch requests.This would also allow people to remove google analytics / sentry access if they so wished.
Beta Was this translation helpful? Give feedback.
All reactions