Block page
You can customize the block page that displays when users fail to authenticate to an Access application. Each application can have a different block page.
Cloudflare Access offers three different block page options:
- Default: Displays a Cloudflare branded block page.
- Custom Redirect URL - Redirects blocked requests to the specified URL. For example, you could redirect the user to a dynamic Access Denied page ↗ that fetches their identity and shows the exact reason they were blocked.
- Custom Page Template - (Only available on Pay-as-you-go and Enterprise plans) Displays a custom HTML page hosted by Cloudflare.
You can display a different type of block page to users who fail an identity-based policy versus a non-identity policy.
- Identity failure block page: Displays when the user fails an identity-based Access policy (such as email, user group, or external evaluation rule), after logging in to their identity provider.
- Non-identity failure block page: Displays when the user fails a non-identity Access policy (such as country, IP, or device posture). Cloudflare checks non-identity attributes before prompting the user to login. Therefore, the non-identity block page would take precedence over the identity block page.
To create a custom block page for Access:
-
In Zero Trust ↗, go to Settings > Custom Pages.
-
Find the Access Custom Pages setting and select Manage.
-
Select Add a page template.
-
Enter a unique name for the block page.
-
In Type, select whether this is an identity or non-identity block page.
-
In Custom HTML, enter the HTML code for your custom page. For example,
<!doctype html><html><body><h1>Access denied.</h1><p>To obtain access, contact your IT administrator.</p></body></html> -
To check the appearance of your custom page, select Download and open the HTML file in a browser.
-
Once you are satisfied with your custom page, select Save.
You can now select this block page when you configure an Access application.