Profile settings
This page lists the profile settings available when configuring a predefined or custom DLP profile. You can configure profile settings when you create a custom profile or edit profile settings for an existing predefined or custom profile.
To edit profile settings for an existing predefined or custom DLP profile:
- In Cloudflare One ↗, go to Data loss prevention > Profiles.
- Choose a profile, then select Edit.
- In Settings, configure the settings for your profile.
- Select Save profile.
The following advanced detection settings are available for predefined and custom DLP profiles.
Match count sets a minimum threshold for detections. DLP does not trigger an action (such as blocking or logging) until the number of detections exceeds the match count. For example, if you set a match count of 10, the scanned file or HTTP body must contain 11 or more matching strings before the action triggers. Detections do not have to be unique.
Optical Character Recognition (OCR) analyzes and interprets text within image files. When used with DLP profiles, OCR can detect sensitive data within images your users upload.
OCR supports scanning .jpg/.jpeg and .png files between 4 KB and 1 MB in size. Text is encoded in UTF-8 format, including support for non-Latin characters.
AI context analysis uses a pretrained model to analyze surrounding context and adjust the confidence level of a detection. For example, a number that matches a credit card pattern may receive a lower confidence score if it appears in a context where credit card numbers are unlikely. DLP will log any matches that are above your confidence threshold.
DLP redacts any matched text, then converts the surrounding context into a vector embedding and submits it to Cloudflare Workers AI. Vector embeddings (not raw text) are stored in user-specific private namespaces for up to six months, along with hit count and the false positive/negative report.
To use AI context analysis:
- Choose the Confidence threshold in a DLP profile.
- Add the profile to a DLP policy.
- When configuring the DLP policy, turn on payload logging.
AI context analysis results will appear in the payload section of your DLP logs. To improve future detections of sensitive data, you need to report false and true positives.
Confidence thresholds indicate how confident Cloudflare DLP is in a detection. DLP determines the confidence level by inspecting the content for proximity keywords — related terms that appear near the detected data. For example, the word "SSN" appearing near a 9-digit number increases confidence that the number is a Social Security number.
When you set a confidence threshold on a profile, DLP only triggers on detections at that level or higher:
- Low (default) — Based on regular expressions with few proximity keywords. This is the most inclusive setting, with high tolerance for false positives
- Medium — Applies additional validations, to filter out low confidence detections. This setting has a medium tolerance for false positives.
- High — Applies rigorous contextual validation for minimal false positives (has a higher likelihood of accuracy).
Confidence threshold is set on the DLP profile. When you select a confidence threshold in Cloudflare One, you will see which DLP entries will be affected by the confidence threshold. Entries that do not reflect a confidence threshold in Cloudflare One are not yet supported or are not applicable.
To change the confidence threshold of a DLP profile:
- In Cloudflare One ↗, go to Data loss prevention > Profiles.
- Select the profile, then select Edit.
- In Settings > Confidence threshold, choose a new confidence threshold from the dropdown menu.
- Select Save profile.
For inline detections in Gateway, to display Low and Medium confidence detections but block High confidence detections, Cloudflare recommends creating two HTTP policies. The first policy should use a Low confidence DLP profile with an Allow action. The second policy should use a High confidence DLP profile with a Block action. For example:
| Selector | Operator | Value | Action |
|---|---|---|---|
| DLP Profile | in | Low Confidence Detections | Allow |
| Selector | Operator | Value | Action |
|---|---|---|---|
| DLP Profile | in | High Confidence Detections | Block |