The Sixth Sense at 6th Street

โœ… Access Sandbox Checklist

Manual checklist for testing Cloudflare Access protection on the sandbox route before any real protected workflow exists.

This is a read-only checklist. It does not configure Cloudflare Access, log users in, create accounts, or collect identity information.

Checklist Boundary

Manual checklist only. This data does not configure Cloudflare Access, create accounts, grant access, or collect identity information.

Manual only No app login No community content

Before protection

Confirm sandbox route is public-safe

manual

Review the sandbox route before any protection policy is added.

Gate: Public-route safety audit

Safety note: The page must remain read-only and free of collection controls.

Confirm live workflows remain blocked

manual

Verify future submission, review, portal, and analytics paths are still planning records only.

Gate: Privacy approval

Safety note: No live community workflow should be enabled by this test.

Cloudflare Access setup

Create a manual Access application

manual

Configure protection in Cloudflare for the sandbox route only.

Gate: Cloudflare Access

Safety note: The app code does not create accounts or enforce Access by itself.

Restrict to approved testers

manual

Scope the policy to a small approved test group before broader review.

Gate: Cloudflare Access

Safety note: Do not use the sandbox to collect community content.

Unauthenticated test

Confirm private session is blocked

manual

Open the protected sandbox route in a private browsing session after Access is configured.

Gate: Cloudflare Access

Safety note: A blocked or Access-mediated response is expected when no session exists.

Authenticated test

Confirm approved tester can view sandbox

manual

Use an approved tester session to confirm the sandbox route is visible.

Gate: Cloudflare Access

Safety note: Viewing the sandbox must not create an app account or store identity details.

Access status endpoint test

Confirm safe status output

manual

Check the diagnostic endpoint and confirm it returns booleans only when JSON is available.

Gate: Cloudflare Access

Safety note: The endpoint must never return identity values or request metadata.

Rollback

Disable sandbox policy if needed

manual

Remove or pause the manual Access policy if testing causes unexpected routing behavior.

Gate: Cloudflare Access

Safety note: Rollback must not expose real protected workflows because none are implemented.

What remains blocked

Keep sensitive workflows blocked

manual

Confirm accounts, live submissions, staff review actions, and sensitive storage remain unavailable.

Gate: Institutional approval

Safety note: Separate approval is required before any real workflow is built.

Safe Diagnostic Endpoint

The endpoint /api/access/status is diagnostic only. It returns booleans about Access-like header presence when JSON is available.

It does not return identity values and must not be used as authorization.