> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.tester.army/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.tester.army/_mcp/server.

# Cloudflare Zero Trust

If your site sits behind Cloudflare Zero Trust (Access), the TesterArmy browser is blocked at the edge before your app ever loads. Save the bypass headers in TesterArmy and they will be sent on every request to your deployment host so tests can reach the application.

## When you need this

You need this when your site is protected by a Cloudflare Access application and you see one of:

* A Cloudflare Access login screen instead of your app.
* HTTP `401`, `403`, or a Cloudflare-branded block page on the deployment host.
* Tests pass locally with your own browser session but fail in TesterArmy at the very first navigation.

You do **not** need this for:

* HTTP Basic Auth — use [HTTP Basic Auth](/auth/basic-auth).
* App-level login (your own login form) — use [Test Credentials](/auth/credentials).

## Pick a bypass method

Cloudflare supports two ways to let an automated client through Access. Either works with TesterArmy.

### Option A — Service tokens (recommended)

A service token is a Client ID + Client Secret pair generated in the Cloudflare dashboard. Your Access policy must include a **Service Auth** rule that allows this token.

1. In Cloudflare: **Zero Trust → Access → Service Auth → Service Tokens → Create Service Token**. Set a name and a duration.
2. Copy the **Client ID** and **Client Secret**. The secret is shown only once.
3. Open the Access application that protects your site: **Access → Applications → \<your app> → Policies → Add policy**.
4. Set **Action: Service Auth** and add an **Include** rule of type **Service Token** matching the token you just created. Save.

The token now grants access when these two headers are present on the request:

```
CF-Access-Client-Id: <CLIENT_ID>
CF-Access-Client-Secret: <CLIENT_SECRET>
```

### Option B — Bypass policy with a custom header

Use this if you cannot create a service token (for example, you only manage one Access application and prefer a single shared secret).

1. In Cloudflare: open the Access application → **Policies → Add policy**.
2. Set **Action: Bypass**.
3. Add an **Include** rule of type **HTTP header** with a header name and value of your choice — e.g. `X-Tester-Army-Bypass` equals a long random secret. Save.

Cloudflare will allow any request that carries that exact header.

## Save the headers in TesterArmy

1. Go to **Project Settings → Integrations → Site Protection**.
2. Click **Set up** on the Cloudflare Zero Trust card.
3. Enter the header pair(s):
   * **Service tokens**: fill `CF-Access-Client-Id` and `CF-Access-Client-Secret` in the two default rows.
   * **Bypass policy**: clear the default rows and add your custom header name and value.
4. Click **Save headers**.