From 0af9fbe520c80f575169f55442dd2db7dc5702d7 Mon Sep 17 00:00:00 2001 From: Ankur Aggarwal Date: Fri, 27 Feb 2026 17:50:51 -0800 Subject: [PATCH 1/2] [Cloudflare One] Document non-identity email for authorization proxy endpoint background requests --- .../resolvers-and-proxies/proxy-endpoints/index.mdx | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx index 183a0da76b206c..75dd521698bcdc 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx @@ -472,9 +472,15 @@ Authorization endpoints do not support plaintext HTTP traffic unless the traffic #### Referer header traffic -Traffic with a referer HTTP header matching the domain of a recently logged in user from the same source IP will be allowed through and logged with a non-identity email address. +Traffic with a referer HTTP header matching the domain of a recently logged in user from the same source IP will be allowed through and logged with the following non-identity email address: -This issue occurs because browsers will not tag HTTP sub-requests with the identity cookie used to verify user authentication. If you would like to filter this traffic, you can set up an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to block all traffic matching the non-identity email address. +```txt +auth-proxy-non-identity@.cloudflareaccess.com +``` + +Where `` is your [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name). + +This occurs because browsers do not tag HTTP sub-requests with the identity cookie used to verify user authentication. If you would like to filter this traffic, you can set up an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to block or allow all traffic matching the `auth-proxy-non-identity@.cloudflareaccess.com` email address. ### Traffic limitations From bec6d88c31e0aaf6133311a8980116b522603a4a Mon Sep 17 00:00:00 2001 From: Ankur Aggarwal Date: Fri, 27 Feb 2026 17:54:15 -0800 Subject: [PATCH 2/2] fix: use placeholder to match docs conventions --- .../resolvers-and-proxies/proxy-endpoints/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx index 75dd521698bcdc..3764390304030e 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx @@ -475,12 +475,12 @@ Authorization endpoints do not support plaintext HTTP traffic unless the traffic Traffic with a referer HTTP header matching the domain of a recently logged in user from the same source IP will be allowed through and logged with the following non-identity email address: ```txt -auth-proxy-non-identity@.cloudflareaccess.com +auth-proxy-non-identity@.cloudflareaccess.com ``` -Where `` is your [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name). +Where `` is your [team name](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name). -This occurs because browsers do not tag HTTP sub-requests with the identity cookie used to verify user authentication. If you would like to filter this traffic, you can set up an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to block or allow all traffic matching the `auth-proxy-non-identity@.cloudflareaccess.com` email address. +This occurs because browsers do not tag HTTP sub-requests with the identity cookie used to verify user authentication. If you would like to filter this traffic, you can set up an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) to block or allow all traffic matching the `auth-proxy-non-identity@.cloudflareaccess.com` email address. ### Traffic limitations