HTTP filtering

Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit.

Note

For a more detailed guide to filtering HTTP requests and other traffic for your organization, refer to the Secure your Internet traffic and SaaS apps implementation guide.

1. Connect to Gateway

To filter HTTP requests from a device:

1. Install the Cloudflare root certificate on your device.
2. Install the WARP client on your device.
3. In the WARP client Settings, log in to your organization’s Zero Trust instance.
4. Enable the Gateway proxy for TCP. Optionally, you can enable the UDP proxy to inspect all port 443 UDP traffic.
5. To inspect HTTPS traffic, enable TLS decryption.
6. (Optional) To scan file uploads and downloads for malware, enable anti-virus scanning.

2. Verify device connectivity

1. In Zero Trust ↗, go to Settings > Network.
2. Under Gateway logging, enable activity logging for all HTTP logs.
3. On your device, open a browser and go to any website.
4. In Zero Trust, go to Logs > Gateway > HTTP.
5. Make sure HTTP requests from your device appear.

3. Add recommended policies

To create a new HTTP policy, go to Gateway > Firewall policies > HTTP in Zero Trust. We recommend adding the following policies:

Bypass inspection for incompatible applications

Bypass HTTP inspection for applications which use embedded certificates. This will help avoid any incompatibilities that may arise from an initial rollout. By the Do Not Inspect app type, Gateway will filter any new applications when they are added to the group.

Selector	Operator	Value	Action
Application	in	Do Not Inspect	Do Not Inspect

Block all security categories

Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.

Selector	Operator	Value	Action
Security Categories	in	All security risks	Block

4. Add optional policies

Refer to our list of common HTTP policies for other policies you may want to create.