Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Data Loss Prevention

Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code.

​​ Data-in-transit

Data Loss Prevention complements Secure Web Gateway to detect sensitive data transferred in HTTP requests. DLP scans the entire HTTP body, which may include uploaded or downloaded files, chat messages, forms, and other web content. Visibility varies depending on the site or application. DLP does not scan non-HTTP traffic such as email, nor does it scan any traffic that bypasses Cloudflare Gateway (for example, traffic that matches a Do Not Inspect rule).

To get started, refer to Scan HTTP traffic with DLP.

​​ Data-at-rest

Data Loss Prevention complements Cloudflare CASB to detect sensitive data stored in your SaaS applications. Unlike data-in-transit scans which read files sent through Cloudflare Gateway, CASB retrieves files directly via API. Therefore, Gateway and WARP settings (such as Do Not Inspect and Split Tunnel rules) will not affect data-at-rest scans.

To get started, refer to our CASB documentation.

​​ Supported file types

​​ Formats

  • Text and CSV
  • Microsoft Office 2007 and later (.docx, .xlsx, .pptx), including Microsoft 365
  • PDF
  • ZIP files containing the above

​​ Size

The maximum file size is 100 MB. Size limitation is assessed against the file after unzipping. ZIP files can be recursively compressed a maximum of 10 times.