A working demo of Cloudflare's platform โ Zero Trust, Workers, R2, D1, WAF, and Tunnels working together.
Access Secure AreaOrigin server connected via encrypted outbound-only tunnel. No open inbound firewall ports required.
The /secure path is locked behind Cloudflare Access with Google SSO โ only approved identities get in.
Identity data, flag serving, and routing logic runs at the Cloudflare edge โ not on the origin server.
Country flag images stored in a private R2 bucket and served via Worker bindings. Try /flags/SG.
Flag metadata indexed in a D1 SQLite database, bound to the Worker. Try /flags-d1/SG.
SQL injection and other OWASP attacks are blocked at the edge. Try injecting a payload in the search below.
Search by country name or code. Flags are served from R2 and D1 via Cloudflare Workers. Try a SQL injection payload to see the WAF in action.