getraxx.com DNS + Cloudflare Pages State
Audited: 2026-05-11 (UTC)
Auditor: sre-agent
Zone: getraxx.com — Cloudflare zone ID 0bdcee38d1da2d021eb6166f0bd6204f
Account: MooseQuest (22b5c35090724fbf05db6d4f501ac821)
Closes: #594
Zone health
| Property | Value |
|---|---|
| Status | active |
| Name servers | keaton.ns.cloudflare.com, millie.ns.cloudflare.com |
| Plan | Free |
| Paused | No |
| Zone activated | 2026-04-22T05:26:33Z |
DNS records (complete inventory)
| Type | Name | Value | Proxied | TTL | Comment |
|---|---|---|---|---|---|
| CNAME | getraxx.com |
getraxx.pages.dev |
Yes (orange-cloud) | Auto | Added 2026-04-28 — apex to CF Pages |
| CNAME | www.getraxx.com |
getraxx.com |
Yes (orange-cloud) | Auto | Added 2026-04-28 — www mirror to apex |
| MX | getraxx.com |
aspmx.l.google.com |
No | 3600 | Priority 1 — Google Workspace alias email |
| MX | getraxx.com |
alt1.aspmx.l.google.com |
No | 3600 | Priority 5 |
| MX | getraxx.com |
alt2.aspmx.l.google.com |
No | 3600 | Priority 5 |
| MX | getraxx.com |
alt3.aspmx.l.google.com |
No | 3600 | Priority 10 |
| MX | getraxx.com |
alt4.aspmx.l.google.com |
No | 3600 | Priority 10 |
| TXT | getraxx.com |
v=spf1 include:_spf.google.com ~all |
No | 3600 | Google Workspace SPF |
| TXT | getraxx.com |
google-site-verification=FLSSrhg8… |
No | 3600 | Google site verification |
| TXT | _dmarc.getraxx.com |
v=DMARC1; p=quarantine; rua=mailto:kris@moosequest.net; fo=1 |
No | 3600 | DMARC quarantine policy |
Note: The apex CNAME resolves via Cloudflare's CNAME flattening. The Pages project is named getraxx (origin: getraxx.pages.dev), not raxx-app. The issue background assumed raxx-app.pages.dev — that assumption is incorrect; the binding is correct and distinct.
Cloudflare Pages binding
| Property | Value |
|---|---|
| Pages project name | getraxx |
| Default origin subdomain | getraxx.pages.dev |
| Apex custom domain | getraxx.com (CNAME → getraxx.pages.dev, proxied) |
| www custom domain | www.getraxx.com (CNAME → getraxx.com, proxied) |
getraxx.pages.dev HTTP status |
200 — React SPA served, correct OG metadata |
www → apex redirect
A Cloudflare Dynamic Redirect ruleset is active on the zone (ruleset ID f978e87ed24147d19c5cad45a93ff97a, created 2026-05-11T18:10:58Z):
Expression: (http.host eq "www.getraxx.com")
Action: redirect → concat("https://getraxx.com", http.request.uri.path)
Status: 301
Preserve query string: yes
Verified live: curl -I https://www.getraxx.com returns HTTP/2 301 with Location: https://getraxx.com/.
HTTP → HTTPS redirect
curl -I http://getraxx.com returns HTTP/1.1 301 Moved Permanently with Location: https://getraxx.com/. Cloudflare handles this at the edge even with always_use_https set to off (the CNAME-proxied zone handles it via the CF proxy by default).
SSL/TLS
| Setting | Value |
|---|---|
| Mode | full |
| Certificate status | active |
| HSTS | Disabled (max-age 0, subdomains off, preload off) |
Cloudflare Access — pre-launch beta gate
An Access application was created 2026-05-11T14:45:24Z that covers getraxx.com and www.getraxx.com:
| Property | Value |
|---|---|
| Name | getraxx.com — pre-launch beta gate |
| Type | self_hosted |
| App ID | c2bbf021-f22a-47dd-8e55-182374d0b6e7 |
| Policy | Allow: kris@moosequest.net only |
| Session duration | 24h |
| Auto-redirect to IdP | Yes |
Effect on public access: curl -I https://getraxx.com returns HTTP/2 302 to moosequest.cloudflareaccess.com login. The domain is intentionally not publicly reachable pre-launch. This is correct behavior for the pre-launch phase. Public access requires removing or expanding this Access policy at launch.
React router — root path handling
The GetRaxxLanding component (the marketing landing page) is registered at /marketing/getraxx, not at /. The root path / behavior depends on feature flags:
| Flag state | / renders |
|---|---|
FLAG_ROUTE_GUARD off (current default) |
Trading app — SetupWizard or Dashboard depending on onboarding state |
FLAG_ROUTE_GUARD on |
PublicLanding component |
With the current production flag defaults, getraxx.com/ would land an unauthenticated visitor on the trading app's logged-out state, not the marketing page.
A _redirects file does not exist in frontend/trademaster_ui/public/. No CF Pages redirect rule routes / to /marketing/getraxx.
Live verification results
| Test | Result |
|---|---|
curl -I https://getraxx.com |
302 → Cloudflare Access login (pre-launch gate active — expected) |
curl -I https://www.getraxx.com |
301 → https://getraxx.com/ (correct) |
curl -I http://getraxx.com |
301 → https://getraxx.com/ (correct) |
curl -I https://getraxx.pages.dev |
200 — React SPA, correct metadata |
Delta analysis — gaps requiring action before public launch
Delta 1 — Root path does not serve the marketing landing page (BLOCKER)
getraxx.com/ must serve GetRaxxLanding to visitors who are not authenticated. Currently it serves the trading app shell.
Options (operator decision required):
- A. Enable FLAG_ROUTE_GUARD in production — / renders PublicLanding which is a generic landing. Requires FLAG_PASSKEY_LOGIN_UI also enabled per code comment. This is a code flag change.
- B. Add a CF Pages _redirects rule: / /marketing/getraxx 301 — routes the SPA root to the correct path. No flag dependency.
- C. Register GetRaxxLanding on both / and /marketing/getraxx in App.js. Code change.
Option B is the lowest-friction pre-launch fix and requires a _redirects file committed to frontend/trademaster_ui/public/. A separate implementation card should be filed.
Delta 2 — CF Access policy covers entire domain (operator awareness)
The Access policy allows only kris@moosequest.net today. Before launch, the policy must be removed or expanded to allow public access. This is a deliberate pre-launch gate; document the removal as a launch-day checklist item.
Delta 3 — HSTS not enabled
strict_transport_security is disabled. At launch, enabling HSTS (min max-age=31536000) is recommended to prevent SSL stripping. Not a blocker but a hardening action.
Delta 4 — X-Robots-Tag: noindex in _headers
frontend/trademaster_ui/public/_headers sets X-Robots-Tag: noindex, nofollow, noarchive, nosnippet on all paths. A comment in that file already notes this must be removed before launch. Not a routing issue but it blocks SEO indexing of the marketing page post-launch.
No-action items (confirmed correct)
- Apex CNAME →
getraxx.pages.devis correct and proxied - www → apex 301 redirect is live and functioning
- HTTP → HTTPS redirect is functioning
- MX records, SPF, and DMARC are present
- TLS certificate is active with
fullmode
Action items
| # | Action | Type | Notes |
|---|---|---|---|
| 1 | File implementation card: add _redirects (or equivalent) so getraxx.com/ serves the marketing landing page |
Blocker for AC #3 | Option B above; separate card per issue scope |
| 2 | Add CF Access policy removal to launch-day runbook | Launch-day checklist | Must happen before public traffic is expected |
| 3 | Enable HSTS at launch | Hardening | max-age=31536000; can be done via Cloudflare zone settings |
| 4 | Remove X-Robots-Tag: noindex from _headers before launch |
Launch-day checklist | Already noted in file comment |
References
- Issue: #594
- Parent epic: #582
- CF Pages project:
getraxx(origin:getraxx.pages.dev) - CF Access app:
c2bbf021-f22a-47dd-8e55-182374d0b6e7 - CF Redirect ruleset:
f978e87ed24147d19c5cad45a93ff97a - Related DNS state doc:
docs/ops/email-dns-state.md(moosequest.net — separate domain)