Common policies
The following DLP policies are commonly used to secure sensitive data in uploaded and downloaded files. They are built as Gateway HTTP policies using the DLP Profile selector.
Before using these policies, complete the prerequisites for scanning HTTP traffic.
When you want to monitor where sensitive data is going before enforcing blocks, use the Allow action. In a Gateway HTTP policy, all matches — including Allow — are recorded in your HTTP request logs. This gives you visibility into sensitive data transfers without disrupting users.
The following example logs any upload or download that matches your enabled Financial Information DLP profile entries when users interact with file sharing applications.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| DLP Profile | in | Financial Information | And | Allow |
| Content Categories | in | File Sharing |
Block the upload or download of files based on their type.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Upload File Types | in | Microsoft Office Word Document (docx) | And | Block |
| Download File Types | in | PDF (pdf) |
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Block file types", "description": "Block the upload or download of files based on their type", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", "identity": "", "device_posture": "" }'For more information on what file formats DLP can scan, refer to Supported file types.
You can configure access on a per-user or group basis by adding identity-based conditions to your policies. These selectors match against user attributes from your configured identity provider.
The following example blocks only contractors from uploading/downloading Financial Information to file sharing apps. Users who are not in the Contractors group are not affected by this policy.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| DLP Profile | in | Financial Information | And | Block |
| Content Categories | in | File Sharing | And | |
| User Group Names | in | Contractors |
Many Android applications (such as Google Drive) use certificate pinning, which is incompatible with Gateway TLS decryption. These applications verify they are connecting directly to their own servers and will reject Gateway's inspection certificate. If needed, you can create a Do Not Inspect policy so that the app can continue to function on Android:
-
Set up an OS version device posture check that checks for the Android operating system.
-
Create the following HTTP policy in Gateway:
Selector Operator Value Logic Action Application in Google Drive And Do Not Inspect Passed Device Posture Checks in OS Version Android
Android users can now use the app, but the app traffic will bypass Gateway inspection entirely — including DLP scanning, HTTP logging, and antivirus scanning.
In your DLP logs, you may find that certain sites routinely trigger DLP detections that do not represent actual data loss (false positives). To exempt these sites from DLP scanning:
-
Create a list of hostnames or URLs.
-
Exclude the list from your DLP policy using the
not in listoperator, which references the list you created in step 1:Selector Operator Value Logic Action DLP Profile in Financial Information And Block Application in Google Drive And Domain not in list Do not DLP - SSN