Build and Secure Applications at Pace With Cloudflare

Cloudflare prohibits Orange-to-Orange routing between two Custom Hostname zones, returning Error 1016. Both the SOH public portal and the Optimizely DXP backend sit on Cloudflare — the routing impasse threatened the entire migration. Beyond that, CMS admin paths needed strict access control, backend infrastructure needed to be network-blocked, and performance had to hold across 100+ domains serving millions of citizens.

• Worker looks up each incoming hostname in a KV namespace to determine whether it's a public or administrative request, and which DXP backend it routes to.
• Request destinations are rewritten to the correct Optimizely DXP target — bypassing O2O entirely.
  Every forwarded request is cryptographically signed with SHA-256 HMAC, validated by a custom HostOverrideModule at DXP so only genuine edge requests reach origin.
• Admin paths on public domains redirect to `.cms.soh.police.uk` hostnames behind Cloudflare Access with MFA.
• Response Location headers and Set-Cookie domains are rewritten to user-facing hostnames.
• WAF rules block all direct DXP access. Azure Pipelines runs a two-stage manual approval deploy with dry-run validation and automated KV seeding.

• Over 100 police force domains (public and admin) successfully route through the Worker to Optimizely DXP, serving millions of citizens across England and Wales.
• The O2O routing constraint was resolved entirely at the edge without introducing additional proxy infrastructure or compromising Cloudflare's security model.
• CMS administration is protected by Cloudflare Access with MFA, and direct backend access is blocked by WAF rules.
• The solution deploys in seconds and scales automatically. There are no servers to manage, no capacity to plan, and no cold starts.
• For CDS, the project established reusable patterns for multi-tenant edge routing, cryptographic request signing, and KV-driven configuration that transfer directly to future engagements.

The OGP manages government property: tens of thousands of buildings, land parcels, contracts, leases, BREEAM/EPC/DEC certifications across multiple departments. The existing system needed modernisation — data quality monitoring, geospatial search, GOV.UK design-system compliance, integration with legacy ePIMS SOAP authentication, and existing reporting tools.

• Next.js 15 front end on Pages built to GOV.UK Frontend with Leaflet-based interactive mapping, advanced list + map search views, geospatial polygon management, CRUD for 18+ entity types.
• OpenAPI-first development: .NET backend generates an OpenAPI spec that drives TypeScript type generation for the front end — end-to-end type safety from database to UI.
• Geospatial: Ordnance Survey integration for address lookup and raster tiles; Leaflet with marker clustering; Geoman for boundary editing. Tile server requests proxied via a Worker and cached within Cloudflare.
• Legacy auth integration connecting NextAuth.js sessions with the existing ePIMS SOAP service — bridging modern front-end auth with established government identity infrastructure.
• Accessibility + security: axe-core automated accessibility testing, CSRF protection, security headers middleware, parameterised SQL queries throughout.
• Workers to generate and destroy unique preview environments per code change at no additional cost — dramatically streamlining testing.

• Government property managers have a modern, accessible, performant interface for managing the UK government's property estate, built to GOV.UK standards and served from Cloudflare's edge.

• The split architecture delivers edge performance for the user-facing application alongside data sovereignty compliance for the backend and database.
• OpenAPI-driven type safety eliminates an entire class of integration bugs between front end and backend.
  
• The generous tier of free daily usage on Workers results in the client application being extremely cost effective to run.
• For CDS, InSite demonstrates our ability to use Cloudflare Pages as a modern front-end hosting platform for government systems while integrating cleanly with existing Azure backend infrastructure and legacy authentication - a pattern that applies to many public sector modernisation programmes.

The College of Policing maintains the body of knowledge underpinning modern policing practice - APP guidance, training catalogues, professional profiles, force performance metrics, examination results, learning event records. Officers face a familiar problem: unstructured guidance requires manual web searches; structured data requires database queries or bespoke reports. No single interface lets a user ask a natural language question and receive a synthesised answer drawing on both.

• Two Workers form the core: an MCP client Worker running the chat agent (OpenAI GPT-4o), and an MCP server Worker exposing nine tools the agent can invoke. Both use Durable Objects with SQLite for persistent multi-turn state.
• Three tool categories: unstructured data (APP guidance, courses, profiles via AI Search); structured data (force info, events, examinations, performance metrics via Apache Iceberg on R2 + Python FastAPI running Spark); and a transformation tool generating Chart.js configs for visualisations.
• Auto-generated schemas: a Python script reads Iceberg table metadata and produces Zod schemas that serve simultaneously as API validation and LLM function definitions. Eliminates drift between data layer and agent understanding.
• Next.js 15 front-end deployed to Cloudflare Pages via OpenNextJS Cloudflare. Chat responses stream through Server-Sent Events; tool invocations visible as they occur.
• AI Gateway sits between the MCP client and OpenAI, providing request analytics, evaluation, and guardrail capability. Azure Pipelines deploys three parallel targets (Pages + two Workers via Wrangler).

• Police staff can ask natural language questions and receive answers grounded in College of Policing content and data, with the agent transparently selecting and invoking the right tools for each query.

• The MCP architecture means the same tool server can be consumed by the web application, Claude Desktop, or any other MCP-compatible client, without rebuilding the tool layer.

• AI Search eliminated the need to build and maintain a custom embedding and vector search pipeline. Content uploaded to R2 is automatically vectorised and made queryable.
  

• The entire stack runs serverless on Cloudflare's edge, with no origin servers for the application or agent logic. The only non-Cloudflare compute is the Spark query service for Iceberg table access - although this functionality could probably now be served within a Cloudflare container.
• For CDS, this project represents our first production use of Cloudflare AI Search, AI Gateway, and the Agents SDK with Durable Objects, and it establishes reusable patterns for MCP-based agent architectures on the Developer Platform.