Customize on vanityURLs

Access control

Mon, 01 Jan 0001 00:00:00 +0000

The vanityURLs Worker blocks access to the private dashboard and tests until Cloudflare Access is configured. Anyone who tries to open those pages sees the Cloudflare Access not-configured response¹ shown below, so public redirects stay open while operational pages fail closed.

flowchart LR
A["Private path"] --> B["Cloudflare Access
application"]
B --> C{"Allowed
identity?"}
C -->|"no"| D["Access login
or deny"]
C -->|"yes"| E["JWT assertion"]
E --> F["Worker validates
AUD and secret"]
F --> G{"JWT valid?"}
G -->|"yes"| H["Serve dashboard
or tests"]
G -->|"no"| I["Fail closed with
not-configured response"]

Find the Team domain

If this Cloudflare account has never used Zero Trust, Cloudflare shows a short first-time setup before the normal Access screens:

Analytics

Mon, 01 Jan 0001 00:00:00 +0000

Use server-side analytics when you want redirect and page activity without adding browser tracking JavaScript. vanityURLs sends analytics from the Worker with ctx.waitUntil(), so provider failures should not delay redirects.

For provider selection and privacy tradeoffs, read Choosing privacy-friendly analytics for short links. For event names, provider payloads, IP handling, and blocked-traffic behavior, read Analytics.

flowchart LR
A["Request
reaches
Worker"] --> B{"Request type"}
B -->|"valid short link"| C["Redirect
response"]
C --> D["redirect event"]
B -->|"valid local page"| E["Public page
response"]
E --> F["pageview event"]
B -->|"unknown slug"| G["404 page"]
G --> H["short-link-miss
event"]
B -->|"lookup"| I["Lookup response"]
I --> J["pageview event"]
D --> K["ctx.waitUntil
analytics send"]
F --> K
H --> K
J --> K
K --> L["Umami or Fathom"]

Decide whether to enable analytics

Leave analytics disabled during the first setup unless you already know what question the reports need to answer. A working redirector with no analytics is a valid production choice.

Footer & pages

Mon, 01 Jan 0001 00:00:00 +0000

vanityURLs can publish footer links and public pages from the operator values stored in custom/v8s-site-config.json. These pages are part of the public posture of a short-link domain: they tell visitors, reporters, registrars, and security researchers who operates the redirector and how to reach the right contact.

Use this page to understand what files are generated, which links appear in the footer, and where to override pages when generated content is not enough. Use Jurisdiction when you are deciding the operator, jurisdiction, governing law, and trust contacts.

Jurisdiction

Mon, 01 Jan 0001 00:00:00 +0000

vanityURLs asks a few operator questions so generated public pages have a real owner, a reporting path, and a legal context. Use this page before or during npm run setup when you are deciding what to enter.

This page is not legal advice. It explains what the fields control and gives phase-1 answers that are practical enough to get an instance online. Use Footer & pages when you need generated output paths, footer links, aliases, and custom page overrides.

Network protection

Mon, 01 Jan 0001 00:00:00 +0000

Use this page when you are ready to configure Cloudflare controls in front of the Worker. Network protection keeps commodity abuse, unexpected methods, scanner probes, unwanted crawlers, and infrastructure noise away from application code.

For the layered security rationale, read Layering Cloudflare protection around a short-link domain. The raw Cloudflare dashboard capture lives in data/cloudflare-protection-defaults.json; use it to track Cloudflare menu changes, not as an operator checklist.

For the features intentionally left out of the default setup, read Cloudflare features not to enable by default.

Policy and blocklist

Mon, 01 Jan 0001 00:00:00 +0000

Use policy and blocklist customization when your instance needs local trust-and-safety decisions beyond the product defaults.

For the trust-and-safety rationale, read Protecting the reputation of a short-link domain. For source file selection, categories, generated feeds, runtime artifacts, and field behavior, read Policy and blocklist.

flowchart LR
A["defaults/
source policy"] --> C["generate:blocklist"]
B["custom/
local policy"] --> D["link validation"]
C --> E["runtime blocklist
artifacts"]
E --> D
F["configured
short links"] --> D
D --> G{"Validation
passes?"}
G -->|"yes"| H["Build and deploy"]
G -->|"no"| I["Fix link
or policy"]

Decide whether you need local policy

In your instance repository, review defaults/v8s-policies.json before creating an override. Start with the default policy unless you have a concrete reason to replace it. Common reasons include: