Cloudflare Access alternatives for internal HTML
Cloudflare Access is a serious zero-trust product, and if the job is "gate our self-hosted internal tools behind the IdP," it's a top-tier answer. But a lot of teams arrive at Access with a much smaller job: one HTML report that shouldn't be public. For that job, Access isn't wrong — it's just the most infrastructure-shaped way to do it.
What the Access route actually involves
- You still need hosting. Access authenticates; it doesn't serve. Pair it with Cloudflare Pages, R2, or your own origin.
- You operate the config. Applications, policies, identity provider wiring, tunnels or DNS records. Fine for a platform team; heavy for "share Friday's analysis."
- Per-user seats above the free tier. The free Zero Trust tier covers up to 50 users; past that, you're paying per person who can open a static file.
- Access stops at the door. Once a viewer is in, there's no review layer — no anchored comments, no revision history, no diff of what changed since last week. The proxy can't add what the content layer doesn't have.
The shortlist
1. Comma — managed gating plus the review layer
The whole pipeline in one call: POST /api/v1/reports (or one MCP tool
call from a Claude/Cursor/Codex agent) and the HTML is hosted behind the
access level you pick — private, team, domain-gated, registered, or
public-by-link, with password and expiry options at the top tier. Viewers
get a document with anchored comments; publishers get revisions with
diffs; agents get a first-class token surface. Nothing
to operate.
Not for: gating arbitrary self-hosted applications. Comma serves reports it hosts; it is not a proxy for your infra.
Pricing: Free (3 active reports) · Pro $9/mo · Team $75/seat/mo · Enterprise custom. Viewers are free and unlimited.
2. Cloudflare Access + Pages — keep it, if you'll operate it
If a platform team already runs Zero Trust, adding one more application is marginal cost, and you keep everything behind one IdP. The gap that remains is the review layer — teams often pair the two: infra behind Access, reports on Comma.
3. Tailscale + a static server — gate by network instead of identity
Serve files on a tailnet and the network is the access control. Brilliant for engineers; a non-starter the day a viewer outside the tailnet (an exec, a client, a board member) needs the link. See also Tiiny Host alternatives → for the link-sharing end of this spectrum.
4. S3 + CloudFront signed URLs — build vs. buy, the build side
Presigned or signed-cookie access on top of object storage. Infinitely flexible, genuinely cheap at rest — and now you own URL signing, expiry semantics, and an auth lambda. The classic build-vs-buy tradeoff.
At a glance
| Approach | You operate | Viewer identity | Comments / history | Cost shape |
|---|---|---|---|---|
| Comma | Nothing | Email / team / domain | Yes / yes | Per publisher; viewers free |
| CF Access + Pages | Policies, DNS, hosting | Real SSO | No | Free ≤ 50 users, then per user |
| Tailscale + server | Tailnet + a server | Network membership | No | Per user |
| S3 + signed URLs | Everything | Whatever you build | No | Cheap + your time |
Checked June 2026. Verify current tiers before committing.
How to choose
- Gating self-hosted apps and admin panels? Cloudflare Access. That's its job and it's good at it.
- Sharing reports people should discuss? A managed layer with comments and revisions — that's Comma.
- Everything must stay on your infra? S3 + signed URLs or Access — budget the engineering time honestly.