# RxMargin - Network and Web-Filter Allowlisting Instructions *For a practice's IT/network provider (for SCW-managed practices, raise via the SCW IT Self Service Portal). Version 1.1, June 2026.* ## Summary for the IT team RxMargin is a legitimate, Cloudflare-hosted web application with a valid Google Trust Services TLS certificate. On managed NHS networks that run TLS inspection (for example Cloudflare Gateway / Zero Trust), RxMargin is re-signed with the network's own inspection certificate, which the practice browsers do not trust. This produces a **NET::ERR_CERT_AUTHORITY_INVALID** / "Your connection is not private" warning. It is also liable to be flagged simply as a newly-registered domain. Two small policy changes fix it. ## Hostnames involved - `rxmargin.co.uk` - `www.rxmargin.co.uk` - `portal.rxmargin.co.uk` (the secure data portal) - `rxmargin.cloudflareaccess.com` (sign-in for the portal) - `rxmargin-notify.ed-muffett.workers.dev` (the enquiry-form endpoint on rxmargin.co.uk; a branded `notify.rxmargin.co.uk` route is planned and will replace it here when live) ## Change 1 - Do Not Inspect (TLS) In Cloudflare Zero Trust -> Gateway, add a **"Do Not Inspect"** rule for the hostnames above so they bypass TLS re-signing. This lets the genuine certificate through untouched and is the clean fix for the certificate warning. ## Change 2 - Allow (HTTP policy) Add the same hostnames to an **Allow** rule in the HTTP policy, in case they are also being blocked as a new or uncategorised domain. ## Change 3 - Email (one-time codes) Please ensure nhs.net inboxes can receive one-time sign-in codes from **Cloudflare Access** (sender domains associated with cloudflareaccess.com), so portal users can complete sign-in. ## Why this is safe - RxMargin holds no patient-identifiable data; it processes practice-level business/financial data. - The site uses a valid public TLS certificate; the warning is caused only by local TLS re-inspection, not by any problem with the site. - Access is restricted to named users behind multi-factor / one-time-code authentication. ## For SCW-managed practices Raise via the SCW IT Self Service Portal: Raise a Call -> I have an issue -> Raise a Network related call. Reference this document. ## Contact Dr Ed Muffett, RxMargin - hello@rxmargin.co.uk. Happy to speak to the IT team directly.