Public buckets

Public Bucket is a feature that allows users to expose the contents of their R2 buckets directly to the Internet. By default, buckets are never publicly accessible and will always require explicit user permission to enable.

Public buckets can be set up in either one of two ways:

• Expose your bucket as a custom domain under your control.
• Expose your bucket using a Cloudflare-managed https://r2.dev subdomain for non-production use cases.

These options can be used independently. Enabling custom domains does not require enabling r2.dev access.

To use features like WAF custom rules, caching, access controls, or bot management, you must configure your bucket behind a custom domain. These capabilities are not available when using the r2.dev development url.

Note

Currently, public buckets do not let you list the bucket contents at the root of your (sub) domain.

Custom domains

Caching

Domain access through a custom domain allows you to use Cloudflare Cache to accelerate access to your R2 bucket.

Configure your cache to use Smart Tiered Cache to have a single upper tier data center next to your R2 bucket.

Note

By default, only certain file types are cached. To cache all files in your bucket, you must set a Cache Everything page rule.

For more information on default Cache behavior and how to customize it, refer to Default Cache Behavior

Access control

To restrict access to your custom domain's bucket, use Cloudflare's existing security products.

• Cloudflare Zero Trust Access: Protects buckets that should only be accessible by your teammates.
• Cloudflare WAF Token Authentication: Restricts access to documents, files, and media to selected users by providing them with an access token.

Warning

Disable public access to your r2.dev subdomain when using products like WAF or Cloudflare Access. If you do not disable public access, your bucket will remain publicly available through your r2.dev subdomain.

Minimum TLS Version

To specify the minimum TLS version of a custom hostname of an R2 bucket, you can issue an API call to edit R2 custom domain settings.

Add your domain to Cloudflare

The domain being used must have been added as a zone in the same account as the R2 bucket.

• If your domain is already managed by Cloudflare, you can proceed to Connect a bucket to a custom domain.
• If your domain is not managed by Cloudflare, you need to set it up using a partial (CNAME) setup to add it to your account.

Once the domain exists in your Cloudflare account (regardless of setup type), you can link it to your bucket.

Connect a bucket to a custom domain

1. Go to R2 and select your bucket.
2. On the bucket page, select Settings.
3. Under Custom Domains, select Add.
4. Enter the domain name you want to connect to and select Continue.
5. Review the new record that will be added to the DNS table and select Connect Domain.

Your domain is now connected. The status takes a few minutes to change from Initializing to Active, and you may need to refresh to review the status update. If the status has not changed, select the ... next to your bucket and select Retry connection.

To view the added DNS record, select ... next to the connected domain and select Manage DNS.

Note

If the zone is on an Enterprise plan, make sure that you release the zone hold before adding the custom domain.

A zone hold would prevent the custom subdomain from activating.

Disable domain access

Disabling a domain will turn off public access to your bucket through that domain. Access through other domains or the managed r2.dev subdomain are unaffected. The specified domain will also remain connected to R2 until you remove it or delete the bucket.

To disable a domain:

1. In R2, select the bucket you want to modify.
2. On the bucket page, Select Settings, go to Custom Domains.
3. Next to the domain you want to disable, select ... and Disable domain.
4. The badge under Access to Bucket will update to Not allowed.

Remove domain

Removing a custom domain will disconnect it from your bucket and delete its configuration from the dashboard. Your bucket will remain publicly accessible through any other enabled access method, but the domain will no longer appear in the connected domains list.

To remove a domain:

1. In R2, select the bucket you want to modify.
2. On the bucket page, Select Settings, go to Custom Domains.
3. Next to the domain you want to disable, select ... and Remove domain.
4. Select ‘Remove domain’ in the confirmation window. This step also removes the CNAME record pointing to the domain. You can always add the domain again.

Public development URL

Expose the contents of this R2 bucket to the internet through a Cloudflare-managed r2.dev subdomain. This endpoint is intended for non-production traffic.

Note

Public access through r2.dev subdomains are rate limited and should only be used for development purposes.

To enable access management, Cache and bot management features, you must set up a custom domain when enabling public access to your bucket.

Avoid creating a CNAME record pointing to the r2.dev subdomain. This is an unsupported access path, and we cannot guarantee consistent reliability or performance. For production use, add your domain to Cloudflare instead.

Enable public development url

When you enable public development URL access for your bucket, its contents become available on the internet through a Cloudflare-managed r2.dev subdomain.

To enable access through r2.dev for your buckets:

1. In R2, select the bucket you want to modify.
2. On the bucket page, select Settings.
3. Under Public Development URL, select Enable.
4. In Allow Public Access?, confirm your choice by typing ‘allow’ to confirm and select Allow.
5. You can now access the bucket and its objects using the Public Bucket URL.

To verify that your bucket is publicly accessible, check that Public URL Access shows Allowed in you bucket settings.

Disable public development url

Disabling public development URL access removes your bucket’s exposure through the r2.dev subdomain. The bucket and its objects will no longer be accessible via the Public Bucket URL.

If you have connected other domains, the bucket will remain accessible for those domains.

To disable public access for your bucket:

1. In R2, select the bucket you want to modify.
2. On the bucket page, select Settings.
3. Under Public Development URL, select Disable.
4. In Disallow Public Access?, type ‘disallow’ to confirm and select Disallow.