Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

HTTP policies

HTTP policies allow you to filter HTTP traffic on the L7 firewall. Gateway will intercept all HTTP and HTTPS traffic and apply the rules you have configured in your policy to either block, allow, or override specific elements such as websites, IP addresses, and file types.

Gateway flow HTTP

Build an HTTP policy by configuring the following elements:

  • Actions
  • Expressions
  • Selectors
  • Operators

Actions

Just like actions on destinations in DNS policies, actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy.

These are the action types you can choose from:

  • Allow
  • Block
  • Bypass

Bypass lets administrators bypass certain elements from inspection. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occuring on both encrypted and plaintext traffic. The bypass action is only available when matching against the host criteria.

Selectors

Gateway matches HTTP traffic against the following selectors, or criteria:

  • Host
  • URL
  • URL Query
  • URL Path
  • URL Path and Query
  • HTTP Method
  • HTTP Response
  • Uploaded and Downloaded File Extension
  • Uploaded and Downloaded Mime Type
  • Content categories

List of file extensions Gateway can match against:

ImageExecutableAudioDocumentsDataCompressedSystemVideo
avifapkm4adocavro7zbakavi
bmpbatmiddocxcsvarjcabflv
gifbinmp3odpdatbz2cplh264
icocgimpaodsdmgdebcurm4v
jpegcomwavodtisogzemumkv
pngdllwmapdfjsonlzinimov
psdexepptloglz4scrmp4
svghtapptxmdblzhsysmpeg
tifjarrtfnzblzmatmpwmv
webpmootxtorcpak
pifxlsparquetrar
plxlsxrcrpm
prgsavsz
wasmxz
sql litez
tarzip
tomlzlib
torrentzst
xml
yaml

Operators

Operators are the way Gateway matches traffic to a selector. Matching happens as follows:

OperatorMeaning
isexact match, equals
is notall except exact match
inin any of defined entries
not innot in defined entries
matches regexregex evaluates to true
does not match regexall except when regex evals to true

Expressions

Expressions are sets of conditions with which you can combine selectors and operators. By configuring one or more expressions, you can define the scope of your HTTP policy.

Example scenarios

ActionSelectorOperator
BlockContent categoriesin: Gaming

Result: this configuration blocks any traffic to domains categorized as Gaming.

FAQ

  • How can I bypass the L7 firewall for a website?

Cloudflare Gateway uses the hostname in the HTTP CONNECT header to identify the destination of the request. Administrators who wish to bypass a site must match against the host in order to prevent HTTP inspection from occurring on both encrypted and plaintext traffic. The bypass action is only available when matching against the host criteria. Bypassing the L7 firewall results in no HTTP traffic inspection and logging is disabled for that HTTP session.

  • In what order are rules evaluated?

The L7 firewall evaluates rules starting with the rule containing the lowest precedence (e.g., rule number one). Rules with a higher value precedence are evaluated after those with a lower value.