Skip to content

Lockdown

Source: src/Cloudflare/Firewall/Lockdown.ts

A Cloudflare Zone Lockdown rule — restrict one or more URL patterns on a zone so that only an allow-list of IP addresses and CIDR ranges can access them. Every other visitor receives an “Access Denied” page.

Everything about a lockdown rule is mutable in place: urls, configurations, description, paused, and priority are all updated via PUT without replacing the rule. Only moving the rule to a different zone triggers a replacement.

Zone Lockdown is available on Pro plans and above, with per-plan rule quotas (Pro: 3, Business: 10, Enterprise: 200). Cloudflare rejects a second rule covering the same URLs with a duplicate error, so a rule’s URL set acts as its identity within a zone.

Safety: lockdown rules carry no ownership markers. When there is no prior state, read scans the zone for an existing rule with the same URL set and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Locking down a URL

Section titled “Locking down a URL”

Allow a single office IP to reach an admin panel

yield* Cloudflare.Lockdown("AdminLockdown", {
  zoneId: zone.zoneId,
  urls: ["shop.example.com/admin*"],
  configurations: [{ target: "ip", value: "198.51.100.4" }],
  description: "only the office can reach /admin",
});

Allow a CIDR range across multiple URLs

yield* Cloudflare.Lockdown("StaffOnly", {
  zoneId: zone.zoneId,
  urls: ["example.com/internal*", "example.com/staging*"],
  configurations: [
    { target: "ip_range", value: "203.0.113.0/24" },
    { target: "ip", value: "198.51.100.4" },
  ],
});

Pausing a rule

Section titled “Pausing a rule”
yield* Cloudflare.Lockdown("AdminLockdown", {
  zoneId: zone.zoneId,
  urls: ["shop.example.com/admin*"],
  configurations: [{ target: "ip", value: "198.51.100.4" }],
  paused: true,
});