Troubleshoot DLP
Use this guide to troubleshoot common issues with Data Loss Prevention (DLP).
DLP not inspecting or blocking content is the most common issue reported. If you have configured a DLP policy but it fails to inspect or block traffic, the cause is almost always that the traffic is not being decrypted. To use DLP to scan the content of HTTPS requests, you must turn on TLS decryption.
To turn on TLS decryption:
- In Cloudflare One ↗, go to Traffic policies > Traffic settings.
- In Proxy and inspection, turn on Inspect HTTPS requests with TLS decryption.
-
Add the following permission to your
cloudflare_api_token↗:Zero Trust Write
-
Configure the
tls_decryptargument incloudflare_zero_trust_gateway_settings↗:resource "cloudflare_zero_trust_gateway_settings" "team_name" {account_id = var.cloudflare_account_idsettings = {tls_decrypt = {enabled = true}}}
Once you turn on TLS decryption, you can create a DLP policy to inspect the content of HTTPS requests. For example:
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Domain | in | box.com | And | Block |
| DLP Profile | in | Credit card numbers |
If your DLP policy is blocking access to business-critical applications (such as Zoho, Google, or internal domains) or generating a high number of false positives, your DLP policy is likely too broad. Profiles such as Credentials and Secrets are powerful but can be overly aggressive if not scoped correctly.
Applying a sensitive profile to all traffic causes unnecessary blocks. For example:
| Selector | Operator | Value | Action |
|---|---|---|---|
| DLP Profile | in | Credentials and Secrets | Block |
Make your policies more specific. Instead of a catch-all block, create granular policies that target high-risk destinations or user groups.
This policy only blocks uploads of financial data to file-sharing websites for a specific user group, reducing the risk of false positives on other sites.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Destination Domain | in | dropbox.com, wetransfer.com | And | Block |
| DLP Profile | in | Financial Information | And | |
| User Group Names | in | Finance Team |
You can also create policies that match trusted applications using the Do Not Scan action.
If DLP detects sensitive data in plain text but not within images or certain applications, check for the following issues:
- OCR is turned on: For DLP to scan text within images (such as a picture of a credit card), you must turn on Optical Character Recognition (OCR) in the corresponding DLP profile.
- Application-specific behavior: Some applications, such as WhatsApp Web, use protocols or encryption methods (such as WebSockets) that Gateway may not be able to fully inspect with HTTP policies.
- Supported file types: Content must be in a supported file type for DLP inspection.
If you cannot use the DLP Profile selector when creating an HTTP policy or are blocked from creating a custom DLP profile, it typically means one of two things:
- Incorrect plan. These features require a Zero Trust Enterprise plan. If you believe your account should have this entitlement, contact your account team to confirm your subscription details.
- Permissions issue. You may not have the required administrative privileges to configure DLP settings. Check with your Cloudflare account administrator.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
