diff --git a/dev/managedservicesplatform/internal/resource/cloudflare/cloudflare.go b/dev/managedservicesplatform/internal/resource/cloudflare/cloudflare.go
index a566813f5e8..d8aef2c9a9e 100644
--- a/dev/managedservicesplatform/internal/resource/cloudflare/cloudflare.go
+++ b/dev/managedservicesplatform/internal/resource/cloudflare/cloudflare.go
@@ -45,7 +45,7 @@ func New(scope constructs.Construct, id resourceid.ID, config Config) (*Output,
 			Name:    &config.Spec.Subdomain,
 			Type:    pointers.Ptr("A"),
 			Value:   config.Target.ExternalAddress.Address(),
-			Proxied: pointers.Ptr(config.Spec.Proxied),
+			Proxied: pointers.Ptr(config.Spec.ShouldProxy()),
 			Comment: pointers.Ptr("Managed Services Platform service"),
 			Tags:    pointers.Ptr(pointers.Slice([]string{"msp"})),
 		})
diff --git a/dev/managedservicesplatform/operationdocs/operationdocs.go b/dev/managedservicesplatform/operationdocs/operationdocs.go
index 3a83edff844..220e7fe1328 100644
--- a/dev/managedservicesplatform/operationdocs/operationdocs.go
+++ b/dev/managedservicesplatform/operationdocs/operationdocs.go
@@ -96,7 +96,7 @@ This service is operated on the [Managed Services Platform (MSP)](https://handbo
 		if env.EnvironmentServiceSpec != nil {
 			if domain := env.Domain.GetDNSName(); domain != "" {
 				overview = append(overview, []string{"Domain", markdown.Link(domain, "https://"+domain)})
-				if env.Domain.Cloudflare != nil && env.Domain.Cloudflare.Proxied {
+				if env.Domain.Cloudflare != nil && env.Domain.Cloudflare.ShouldProxy() {
 					overview = append(overview, []string{"Cloudflare WAF", "✅"})
 				}
 			}
diff --git a/dev/managedservicesplatform/spec/environment.go b/dev/managedservicesplatform/spec/environment.go
index ce73cd5306c..71f4b5fc887 100644
--- a/dev/managedservicesplatform/spec/environment.go
+++ b/dev/managedservicesplatform/spec/environment.go
@@ -265,13 +265,23 @@ type EnvironmentDomainCloudflareSpec struct {
 
 	// Proxied configures whether Cloudflare should proxy all traffic to get
 	// WAF protection instead of only DNS resolution.
-	Proxied bool `yaml:"proxied,omitempty"`
+	//
+	// Default: true
+	Proxied *bool `yaml:"proxied,omitempty"`
 
 	// Required configures whether traffic can only be allowed through Cloudflare.
 	// TODO: Unimplemented.
 	Required bool `yaml:"required,omitempty"`
 }
 
+// ShouldProxy evaluates whether Cloudflare WAF proxying should be used.
+func (e *EnvironmentDomainCloudflareSpec) ShouldProxy() bool {
+	if e == nil {
+		return false
+	}
+	return pointers.Deref(e.Proxied, true)
+}
+
 type EnvironmentInstancesSpec struct {
 	Resources EnvironmentInstancesResourcesSpec `yaml:"resources"`
 	// Scaling specifies the scaling behavior of the service.
diff --git a/dev/managedservicesplatform/stacks/cloudrun/internal/builder/service/service.go b/dev/managedservicesplatform/stacks/cloudrun/internal/builder/service/service.go
index bd43abcb4bf..f8d0b660f59 100644
--- a/dev/managedservicesplatform/stacks/cloudrun/internal/builder/service/service.go
+++ b/dev/managedservicesplatform/stacks/cloudrun/internal/builder/service/service.go
@@ -250,7 +250,7 @@ func (b *serviceBuilder) Build(stack cdktf.TerraformStack, vars builder.Variable
 
 		// Provision SSL cert
 		var sslCertificate loadbalancer.SSLCertificate
-		if domain.Cloudflare.Proxied {
+		if domain.Cloudflare.ShouldProxy() {
 			sslCertificate = cloudflareorigincert.New(stack,
 				resourceid.New("cf-origin-cert"),
 				cloudflareorigincert.Config{