Log the payload of matched rules
Data Loss Prevention allows you to log the data that triggered a specific DLP policy. This data is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 20 characters of additional context on both sides of the match.
1. Generate a key pair
2. Upload the public key to Cloudflare
In the DLP Payload Encryption public key field, paste your public key.
3. Enable payload logging for a DLP policy
Go to Gateway > Firewall Policies > HTTP.
In the policy builder, scroll down to Configure policy settings and enable Log the payload of matched rules.
Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy.
4. View payload logs
Go to Logs > Gateway > HTTP.
Go to the DLP log you are interested in reviewing and expand the row.
Select Decrypt Payload Log.
Enter your private key and select Decrypt.
All Cloudflare logs are encrypted at rest. Encrypting the payload content adds a second layer of encryption for the matched values that triggered a DLP rule.
Cloudflare cannot decrypt encrypted payloads, since this operation requires your private key. Cloudflare staff will never ask for the private key.