This page is publicly accessible. Cloudflare applies no Access policy.
This page has no Cloudflare Access Application applied to it. Any request reaches the origin without an identity check. On Cloudflare Pages, this is the default state — pages are public unless an Access policy is explicitly applied.
This is the baseline you compare everything else against. The index page itself works the same way.
Path-based: No Access Application required. Ensure no wildcard policy covers /open/*. Cloudflare Pages serves the route directly.
Subdomain-based: open.barbicancloud.co.uk has no Access Application attached. In Zero Trust → Access → Applications, confirm no application matches this hostname.
barbicancloud.co.uk/open/open.barbicancloud.co.uk