Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Browser Isolation

Just like how you can use Gateway to allow or block traffic based on content categories or security threats, you can define Isolation policies to dynamically isolate websites based on identity, security threats or content. To build Browser Isolation policies, navigate to Policies > HTTP policies on the Teams Dashboard. In the rule builder, choose the Isolate or Do not Isolate actions to enable or disable isolation for certain websites or content.

Browser isolation policy


When an HTTP policy applies the Isolate action, the user's web browser is transparently served an HTML compatible remote browser client. Isolation policies can be applied to requests that include Accept: text/html*. This allows Browser Isolation policies to co-exist with API traffic.

If you'd like to isolate all security threats, you can set up a policy with the following configuration:

Security ThreatsInAll security threatsIsolate

If instead you need to isolate specific hostnames, you can list the domains you'd like to isolate traffic to:

SelectorOperatorValueAction, example.netIsolate

Do Not Isolate

You can choose to disable isolation for certain destinations or categories. The following configuration disables isolation for traffic directed to

HostInexample.comDo Not Isolate


Malware and zero-day threats are not the only security challenges administrators face with web browsers. The mass adoption of SaaS products has made the web browser the primary tool used to access data. Lack of control over both the application and the browser has left administrators little control over their data once it is delivered to an endpoint.

All the following settings can be applied to websites through Applications, Lists, Domain and Hostname expressions.

Disable copy / paste

Disable printing

Disable keyboard

  • Behavior. Prohibits users from performing keyboard input into the remote page.
  • Use Case. Prevent users inputting sensitive information into unknown/untrusted websites.

Disable upload

  • Behavior. Prohibits users from uploading files from their local machine into a remote web page.
  • Use Case. Protect sensitive data from being exfiltrated to unknown/untrusted websites.

Disable download

  • Behavior. Prohibits users from exporting files from the remote browser to their local machine.
  • Use Cases. Protect users from downloading files from unknown/untrusted sources, and protect sensitive content in self-hosted or SaaS applications from data loss.