diff --git a/src/assets/images/changelog/access/require-cloudflare-access-protection.png b/src/assets/images/changelog/access/require-cloudflare-access-protection.png
new file mode 100644
index 000000000000000..b8d96bf4dd10981
Binary files /dev/null and b/src/assets/images/changelog/access/require-cloudflare-access-protection.png differ
diff --git a/src/content/changelog/access/2026-01-22-deny-by-default-for-zones.mdx b/src/content/changelog/access/2026-01-22-deny-by-default-for-zones.mdx
new file mode 100644
index 000000000000000..5621601c65b94a6
--- /dev/null
+++ b/src/content/changelog/access/2026-01-22-deny-by-default-for-zones.mdx
@@ -0,0 +1,22 @@
+---
+title: Require Access protection for zones
+description: Block traffic to zones that do not have an Access application configured.
+date: 2026-01-22
+products:
+  - cloudflare-one
+  - access
+---
+
+You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked.
+
+This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed.
+
+![Require Cloudflare Access protection in the dashboard](~/assets/images/changelog/access/require-cloudflare-access-protection.png)
+
+### How it works
+
+- **Blocked by default**: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname.
+- **Explicit access required**: To allow traffic, create an Access application with an Allow or Bypass policy.
+- **Hostname exemptions**: You can exempt specific hostnames from this requirement.
+
+To turn on this feature, refer to [Require Access protection](/cloudflare-one/access-controls/access-settings/require-access-protection/).
diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/require-access-protection.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/require-access-protection.mdx
new file mode 100644
index 000000000000000..e0f4ebe9b610aaa
--- /dev/null
+++ b/src/content/docs/cloudflare-one/access-controls/access-settings/require-access-protection.mdx
@@ -0,0 +1,43 @@
+---
+pcx_content_type: how-to
+title: Require Access protection
+sidebar:
+  order: 3
+---
+
+Cloudflare Access allows you to require Access protection for all hostnames in your account. When this setting is turned on, traffic to any hostname without a matching [Access application](/cloudflare-one/access-controls/applications/) is automatically blocked.
+
+This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. Without this setting, a developer could deploy a new application or create a DNS record and inadvertently expose the resource before configuring an Access application.
+
+## Turn on Access protection
+
+1. In [Cloudflare One](https://dash.cloudflare.com), go to **Zero Trust**, then **Access controls** > **Access settings**.
+2. For **Require Cloudflare Access Protection**, enable the toggle to **On**. You will see a dialog confirming you understand the scope of this change. Select **Confirm**.
+
+Traffic to all hostnames in the account is now blocked unless an Access application exists with a matching hostname.
+
+:::caution
+
+Turning on this setting blocks traffic to any hostname that does not have an Access application. Before turning on this setting, verify that all publicly accessible hostnames have an Access application with the appropriate policies.
+
+:::
+
+3. (Optional) You can exempt specific hostnames from the **Require Cloudflare Access Protection** setting. Traffic to exempted hostnames is allowed even if no Access application exists. Select those hostnames from the available dropdown, and then press **Save**.
+
+:::note
+
+We recommend limiting exemptions to hostnames that host only public-facing content. Internal applications should have an Access application configured.
+
+:::
+
+## Allow traffic to a hostname
+
+To allow traffic to a hostname when **Require Cloudflare Access Protection** is turned on:
+
+1. [Create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the hostname.
+2. Add an [Allow policy](/cloudflare-one/access-controls/policies/#allow) to grant access to authorized users.
+3. (Optional) Add a [Bypass policy](/cloudflare-one/access-controls/policies/#bypass) if the hostname should be publicly accessible without authentication.
+
+## Blocked request behavior
+
+When a user attempts to access a hostname without an Access application, Cloudflare displays a block page indicating that the resource requires Access protection. The user cannot proceed until an administrator creates an Access application for that hostname.