Detection entries
Detection entries are the data patterns that Cloudflare DLP looks for when scanning your web traffic and SaaS applications. You add detection entries to DLP profiles, which define what DLP should detect. Detection entries include:
- Datasets — uploaded spreadsheets of specific values to match against (for example, credit card numbers or internal SKUs)
- Document entries — fingerprints of example documents used to find similar content
- AI prompt topics — categories of prompts submitted to generative AI tools
For datasets containing sensitive data, you can configure values to be hashed before reaching Cloudflare and redacted from matches in payload logs.
You can create and upload custom datasets to scan for specific matching data.
Exact Data Match (EDM) protects sensitive information, such as names, addresses, phone numbers, and credit card numbers.
All EDM dataset data is encrypted before reaching Cloudflare. To detect matches, Cloudflare hashes traffic and compares it to hashes from your dataset. Matched data will be redacted in payload logs.
Custom Wordlist (CWL) protects non-sensitive data, such as intellectual property and SKU numbers.
Unlike EDM, Cloudflare stores data from CWL datasets in plaintext within DLP. Plaintext matches appear in payload logs. Optionally, CWL can detect case-sensitive data.
To prepare a dataset for DLP, add your desired data to a multi-column spreadsheet. Each line must be at least six characters long. Entries do not require trailing or final commas.
For compatibility, save your file in either .csv or .txt format with LF (\n) newline characters. DLP does not support CRLF (\r\n) newline characters. For information on dataset limits, refer to Account limits.
Column title cells may result in false positives in Custom Wordlist datasets and should be removed.
DLP will detect and use title cells as column names for Exact Data Match datasets. If multiple columns have the same name, DLP will append a number sign (#) and number to their names.
Upload an Exact Data Match dataset
- In Cloudflare One ↗, go to Data loss prevention > Detection entries.
- From the Datasets tab, select Add a dataset.
- Select Exact Data Match (EDM).
- Upload your dataset file. Select Next.
- Review and choose the detected columns you want to include. Select Next.
- Name your dataset. Optionally, add a description. Select Next.
- Review the details for your uploaded dataset. Select Save dataset.
DLP will encrypt your dataset and save its hash.
Upload a Custom Wordlist dataset
- In Cloudflare One ↗, go to Data loss prevention > Detection entries.
- From the Datasets tab, select Add a dataset.
- Select Custom Wordlist (CWL).
- Name your dataset. Optionally, add a description.
- (Optional) In Settings, turn on Enforce case sensitivity to require matched values to contain exact capitalization.
- In Upload file, choose your dataset file.
- Select Save.
DLP will save your dataset in cleartext.
The dataset will appear in the list with an Uploading status. Once the upload is complete, the status will change to Complete. To use your uploaded dataset, add it as an existing entry to a custom DLP profile.
Uploaded DLP datasets are read-only. To update a dataset, you must upload a new file to replace the original.
- In Cloudflare One ↗, go to Data loss prevention > Detection entries.
- From the Datasets tab, select the dataset you want to update.
- Select Upload dataset and choose your updated dataset. Select Next.
- If your select dataset is an Exact Data Match dataset, review and choose the new columns. Select Next.
- Select Save dataset.
Your new dataset will replace the original dataset.
You can upload example documents to detect similar content in your organization's traffic. DLP creates a unique fingerprint of the document and compares traffic against it based on how similar it is to the original. This is useful for detecting specific document types common to your organization, such as contract templates or internal reports, where the content does not reduce to a list of individual values in a dataset.
DLP stores uploaded documents encrypted at rest in a Cloudflare R2 bucket. To upload sensitive data that is only stored in memory, use Exact Data Match.
DLP supports documents in .docx and .txt format. Documents must be under 10 MB.
To upload a new document entry to DLP:
- In Cloudflare One ↗, go to Data loss prevention > Detection entries.
- From the Documents tab, select Add a document entry.
- Name your document. Optionally, add a description.
- In Minimum similarity for matches, enter a value between 0% and 100%.
- In Upload document, choose and upload your document file.
- Select Save.
The document will appear in the list with a Pending status. Once the upload is complete, the status will change to Complete. If you created a document entry with Terraform, the status will be No file until you upload a file.
To use your uploaded document fingerprint, add it as an existing entry to a custom DLP profile.
Uploaded document entries are read-only. To update a document entry, you must upload a new file to replace the original.
- In Cloudflare One ↗, go to Data loss prevention > Detection entries.
- From the Documents tab, choose the document you want to update and select Edit.
- (Optional) Update the name and minimum similarity for matches for your document entry. You can also open the existing uploaded document.
- In Update document entry, choose and upload your updated document file.
- Select Save.
Your new document entry will replace the original document entry. If your file upload fails, DLP will still use the original document fingerprint to scan traffic until you delete the entry.
DLP uses Application Granular Controls to detect and categorize prompts submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported AI prompt protection detections include:
| Detection entry | Description |
|---|---|
| Content: PII | Prompt contains personal information such as names, SSNs, or email addresses. |
| Content: Credentials and Secrets | Prompt contains API keys, passwords, or other sensitive credentials. |
| Content: Source Code | Prompt contains actual source code, code snippets, or proprietary algorithms. |
| Content: Customer Data | Prompt contains customer names, projects, business activities, or confidential customer contexts. |
| Content: Financial Information | Prompt contains financial numbers or confidential business data. |
| Intent: PII | Prompt requests specific personal information about individuals. |
| Intent: Code Abuse and Malicious Code | Prompt requests malicious code for attacks, exploits, or harmful activities. |
| Intent: Jailbreak | Prompt attempts to circumvent AI security policies. |
Each detection entry is categorized as either Content or Intent:
- Content — Detects specific text or data in the prompt itself (for example, a user pasting source code or a credit card number into a chat).
- Intent — Detects the user's goal or objective for the AI's response (for example, a user asking an AI to generate malicious code or extract personal information).
Intent detection is useful when AI applications have access to internal data sources containing sensitive information through SaaS connectors or Model Context Protocol (MCP) servers.
To use an AI prompt topic, configure the corresponding predefined DLP profile or add it as an existing entry to a custom DLP profile. AI prompt protection is available for ChatGPT, Google Gemini, Perplexity, and Claude.