Isolation policies
With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content.
Isolate
When an HTTP policy applies the Isolate action, the user’s web browser is transparently served an HTML compatible remote browser client. Isolation policies can be applied to requests that include Accept: text/html*. This allows Browser Isolation policies to co-exist with API traffic.
The following example enables isolation for all web traffic:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Host | matches regex | .* | Isolate |
If instead you need to isolate specific pages, you can list the domains for which you would like to isolate traffic:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Domain | In | example.com, example.net | Isolate |
Do Not Isolate
You can choose to disable isolation for certain destinations or categories. The following configuration disables isolation for traffic directed to example.com:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Host | In | example.com | Do Not Isolate |
Policy settings
The following optional settings appear in the Gateway HTTP policy builder when you select the Isolate action. Enable these settings to prevent data loss when users interact with untrusted websites in the remote browser.
Disable copy / paste
Prohibits users from copying and pasting content between a remote web page and their local machine.
Disable printing
Prohibits users from printing remote web pages to their local machine.
Disable keyboard
Prohibits users from performing keyboard input into the remote web page.
Disable upload
Prohibits users from uploading files from their local machine into a remote web page.
Disable download
Prohibits users from exporting files from the remote browser to their local machine.
Disable clipboard redirection
Prevents copying isolated content from the remote browser to their local clipboard and pasting content from their local clipboard into isolated pages.
Common policies
Isolate all security threats
Isolate security threats such as malware and phishing.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Security Risks | in | All security risks | Isolate |
Isolate high risk content
Isolate high risk content categories such as newly registered domains.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content categories | in | Security Risks | Isolate |
Isolate news and media
Isolate news and media sites, which are targets for malvertising attacks.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content categories | in | News and Media | Isolate |
Isolate uncategorized content
Isolate content that has not been categorized by Cloudflare Radar.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content categories | not in | All content categories | Isolate |
Isolate ChatGPT
Isolate the use of ChatGPT.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Application | in | ChatGPT | Or | Isolate |
| Host | in | chat.openai.com, auth0.openai.com, openai.com, cdn.auth0.com |
In Configure policy settings, you can customize restrictions for ChatGPT. For example, to prevent your users from inputting sensitive information, you can select Disable copy / paste and Disable file uploads.