Hey, thanks for your work!
I initally decided to only go the route of: mTLS rule, installing the certificate on my browser and my Android Phone and a WAF rule which blocks ALL traffic that does not equal certificate.
However, I still had some security concerns since I still had the feeling that quite some people are connecting to my domain… So i have setup Zero Trust which feels way better… but yeah, my Companion App is broken now and I urgently want to track devices for automations when I am leaving/coming home. Do you really feel perfectly safe with only Client Certificate + a single rule, that blocks all traffic without certificate? Or is there any good way to bypass Zero Trust (With a Bypass rule?) when opening it with the HA Mobile App?
(also see my question here which is basically the same: Is my Cloudflare Setup safe?)