--- title: Best practices description: Follow recommended deployment best practices. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/learning-paths/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Best practices Most customers have a heterogeneous private application portfolio; some are home-built, some are internal managed services, some have SSO integrations available, and some rely on HTML or other forms of authentication. With that in mind, we recommend that you mix-and-match [onboarding solutions](https://developers.cloudflare.com/learning-paths/clientless-access/migrate-applications/integrated-sso/#potential-solutions) to fit the needs of each individual application. As shown in the table below, you can bucket applications into a series of stack-ranked categories that prioritize ease of implementation and total organizational impact. | Application type | Recommendation | Outcome | | ---------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Private web apps without integrated SSO | [Present applications exclusively on Cloudflare domains.](https://developers.cloudflare.com/learning-paths/clientless-access/migrate-applications/integrated-sso/#recommended-solution) | Users access applications on new domains delegated to Cloudflare and instantly apply SSO through Cloudflare integration. | | Private web apps with integrated SSO | **If SSO configuration is possible:** [Present applications exclusively on Cloudflare domains.](https://developers.cloudflare.com/learning-paths/clientless-access/migrate-applications/integrated-sso/#recommended-solution) **If SSO configuration is not possible:** Present applications on existing internal domains with identical external domains delegated to Cloudflare | Users access internal web services on the same or new domains from Cloudflare. If configured, the SSO provider transparently redirects users from internal domains to Cloudflare authoritative external domains. | | New critical internal applications being developed | [Present applications exclusively on Cloudflare domains.](https://developers.cloudflare.com/learning-paths/clientless-access/migrate-applications/integrated-sso/#recommended-solution) | Developers can programmatically generate (or be given) new public hostnames on Cloudflare to represent the redirects for their application in SAML or OIDC integrations. | | New microservices being developed | [Present applications exclusively on Cloudflare domains.](https://developers.cloudflare.com/learning-paths/clientless-access/migrate-applications/integrated-sso/#recommended-solution) Optionally, [consume the Access JWT](https://developers.cloudflare.com/learning-paths/clientless-access/migrate-applications/consume-jwt/#consume-the-cloudflare-jwt) as authentication in internal applications. | Developers can inject the JWT authorization mechanism directly into the codebase of their application and [use Terraform](https://developers.cloudflare.com/learning-paths/clientless-access/terraform/) to automatically build Cloudflare hostnames and policies for their applications. | | Internal API endpoints (including internal applications with dependencies on external/internal APIs) | Present internal APIs on Cloudflare domains, and build Access policies that accept [service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) alongside user-oriented policies. | Automated systems can authenticate via a [service token in the request header](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/#connect-your-service-to-access), while end users continue to login through their IdP. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/learning-paths/","name":"Learning Paths"}},{"@type":"ListItem","position":3,"item":{"@id":"/learning-paths/clientless-access/migrate-applications/","name":"Migrate applications"}},{"@type":"ListItem","position":4,"item":{"@id":"/learning-paths/clientless-access/migrate-applications/best-practices/","name":"Best practices"}}]} ```