Cloudflare Docs
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Data Loss Prevention (beta)

With Cloudflare Data Loss Prevention (DLP) and Secure Web Gateway, you can inspect HTTP traffic for the presence of sensitive data such as social security numbers and credit card numbers. DLP scans the entire HTTP body, which may include uploaded or downloaded Microsoft Office documents (Office 2007 and later), chat messages, forms, and other web content. Visibility varies depending on the site or application. DLP does not scan non-HTTP traffic such as email, nor does it scan any traffic that bypasses Cloudflare Gateway (for example, traffic that matches a Do Not Inspect rule).

To perform DLP filtering, first configure a DLP Profile with the data patterns you want to detect, and then build a Gateway HTTP policy to allow or block the sensitive data from leaving your organization. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regexes specified in the DLP profile.

​​ Prerequisites

​​ 1. Configure a DLP Profile

  1. In the Zero Trust dashboard, go to Gateway > DLP Profiles.
  2. Choose a predefined DLP Profile and select Configure.
  3. Enable one or more Detection entries according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries.
  4. Select Save profile.

​​ 2. Create a DLP policy

DLP Profiles may be used alongside other Zero Trust rules in a Gateway HTTP policy. To start logging or blocking traffic, create a policy for DLP:

  1. In the Zero Trust dashboard, go to Gateway > Policies > HTTP.

  2. Select Create a policy.

  3. Build an HTTP policy using the DLP Profile selector. For example, the following policy prevents users from uploading sensitive data to any location other than an approved corporate application:

    Policy name
    Only allow SSN uploads to Workday
    DLP ProfilesinU.S. Social Security Numbers
    Applicationnot inWorkday
  4. Select Create policy.

DLP scanning is now enabled.

​​ 3. View DLP logs

By default, Gateway logs all HTTP requests in the Gateway Activity log. To view DLP logs:

  1. In the Zero Trust dashboard, go to Settings > Network.
  2. Verify that Activity logging is turned on, and check that Gateway HTTP logs is set to capture traffic.
  3. Next, go to Logs > Gateway > HTTP.
  4. Select Filter.
  5. Choose an item under one of the following filters:
    • DLP Profiles - shows the requests which matched a specific DLP profile.
    • Policy - shows the requests which matched a specific DLP policy.

You can expand an individual row to view details about the request.

​​ Policy configuration tips

If you configured a DLP policy with a Block action, false positives may cause some pages to not load properly. Adding additional conditions to your policy will limit the scope of the DLP scan and can help reduce false positives.

For example, is a common source of noise in the DLP logs. These detections clutter your logs with junk data and could cause issues for the end user if they are blocked. To exempt these sites from DLP scanning, you can manually create a list of hostnames or URLs. Then, exclude the list from your DLP policy as shown in the example below:

Policy name
Block SSN uploads to file sharing apps
DLP ProfilesinU.S. Social Security Numbers
ApplicationinFile Sharing
Domainnot in listDo not DLP - SSN