Block page
When Gateway blocks traffic with a DNS or HTTP Block policy, you can configure a block page to display in your users' browsers. You can provide a descriptive reason for blocking traffic and contact information, or you can redirect your users' browsers to another page. You can apply these customizations globally for every Block policy, or override the settings on a per-policy basis.
In order to display the block page as the URL of the blocked domain, your organization's devices must have a Cloudflare certificate installed. Enterprise users can also deploy their own root CA certificate. If you do not install a certificate, the block page will not display correctly.
Gateway will display a global block page in the browser of any user whose traffic is blocked. By default, Gateway will display the block page for any DNS Block policies you turn it on for and all HTTP Block policies. You can turn on or override the global setting on a per-policy basis.
To configure the global block page:
- In Zero Trust ↗, go to Settings > Custom Pages.
- Under Account Gateway block page, Gateway will display the current block page setting. Select Customize.
- Choose whether to use the default Gateway block page, a URL redirect, or a custom Gateway block page.
- Select Save.
When you choose Default Gateway block page, Gateway will display a block page hosted by Cloudflare ↗. This is the default option for all traffic blocked by Gateway.
Instead of displaying the Cloudflare block page, you can configure Gateway to return a 307 (Temporary Redirect) HTTP response code and redirect to a custom URL.
To redirect users to a non-Cloudflare block page:
- In Zero Trust ↗, go to Settings > Custom Pages.
- Under Account Gateway block page, select Customize.
- Choose URL redirect
- Enter the URL you want to redirect blocked traffic to.
- (Optional) Turn on Send policy context to send additional policy context to the redirected URL.
- Select Save.
Gateway will now redirect users to a custom page when user traffic matches a Block policy with the block page configured.
To create an HTTP policy to redirect URLs, refer to the Redirect action.
When you turn on Send policy context, Gateway will append details of the matching request to the redirected URL as a query string. Not every context field will be included. Potential policy context fields include:
Policy context fields
| Field | Definition | Example |
|---|---|---|
| User email | Email of the user that made the query. | &cf_user_email=user@example.com |
| Site URL | Full URL of the original HTTP request or domain name in DNS query. | &cf_site_uri=https%3A%2F%2Fmalware.testcategory.com%2F |
| URL category | Domain categories of the URL to be redirected. | &cf_request_categories=New%20Domains,Newly%20Seen%20Domains |
| Original HTTP referer | For HTTP traffic, the original HTTP referer header of the HTTP request. | &cf_referer=https%3A%2F%2Fexample.com%2F |
| Rule ID | ID of the Gateway policy that matched the request. | &cf_rule_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 |
| Source IP | Source IP address of the device that matched the policy. | &cf_source_ip=203.0.113.5 |
| Device ID | UUID of the device that matched the policy. | &cf_device_id=6d48997c-a1ec-4b16-b42e-d43ab4d071d1 |
| Application names | Name of the application the redirected domain corresponds to, if any. | &cf_application_name=Salesforce |
| Filter | The traffic type filter that triggered the block. | &cf_filter=http, &cf_filter=dns, &cf_filter=av, or &cf_filter=l4 |
| Account ID | Cloudflare account ID of the associated Zero Trust account. | &cf_account_id=d57c3de47a013c03ca7e237dd3e61d7d |
| Query ID | ID of the DNS query for which the redirect took effect. | &cf_query_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 |
| Connection ID | ID of the proxy connection for which the redirect took effect. | &cf_connection_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 |
| Request ID | ID of the HTTP request for which the redirect took effect. | &cf_request_id=f8dc6fd3-a7a5-44dd-8b77-08430bb4fac3 |
Paths and queries in the redirect URL take precedence over the original URL. When you turn on Send policy context, Gateway will append context to the end of the redirected URL. For example, if the original URL is example.com/path/to/page?querystring=X&k=1 and the redirect URL is cloudflare.com/redirect-path?querystring=Y, Gateway will redirect requests to:
cloudflare.com/redirect-path?querystring=Y&user_email=user@example.comYou can customize the Cloudflare-hosted block page by making global changes that Gateway will display every time a user reaches your block page. Customizations will apply regardless of the type of policy (DNS or HTTP) that blocks the traffic.
To customize your block page:
- In Zero Trust ↗, go to Settings > Custom Pages.
- Under Account Gateway block page, select Customize.
- Choose Custom Gateway block page. Gateway will display a preview of your custom block page. Available customizations include:
- Your organization's name
- Logo
- Header text
- Global block message, which will be displayed above the policy-specific block message
- Mailto link
- Background color
- Select Save.
Gateway will now display a custom Gateway block page when your users visit a blocked website.
You can include an external logo image to display on your custom block page. The block page resizes all images to 146x146 pixels. The URL must be valid and no longer than 2048 characters. Accepted file types include SVG, PNG, JPEG, and GIF.
You can add a Mailto link to your custom block page, which allows users to directly email you about the blocked site. When users select Contact your Administrator on your block page, an email template opens with the email address and subject line you configure, as well as the following diagnostic information:
| Field | Description |
|---|---|
| Site URL | The URL of the blocked page. |
| Rule ID | The ID of the Gateway policy that blocked the page. |
| Source IP | The public source IP of the user device. |
| Account ID | The Cloudflare account associated with the block policy. |
| User ID | The ID of the user who visited the page. Currently, User IDs are not surfaced in the dashboard and can only be viewed by calling the API. |
| Device ID | The ID of the device that visited the page. This is generated by the WARP client. |
| Block Reason | Your policy-specific block message. |
For DNS Block policies, you will need to turn on the block page for each policy you want to display it. For HTTP Block policies, Gateway automatically displays your global block page setting by default. You can override your global block page setting for both policy types within each policy's settings.
To turn on the block page or override your global block page setting for an individual policy:
- In Zero Trust ↗, go to Gateway > Firewall policies > DNS.
- Select Add a policy to create a new policy, or choose the policy you want to customize and select Edit. You can only edit the block page for policies with a Block action.
- Under Configure policy settings, turn on Modify Gateway block behavior.
- Choose your block behavior:
- Use account-level block setting: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an HTTP redirect, or a custom Gateway block page.
- Override account setting with URL redirect: Redirect users with a
307HTTP redirect to a URL you specify on a policy level.
- (Optional) If your account-level block page setting uses a custom Gateway block page, you can turn on Add an additional message to your custom block page when traffic matches this policy to add a custom message to your custom block page when traffic is blocked by this policy. This option will replace the Message field.
- Select Save policy.
Depending on your settings, Gateway will display a block page in your users' browsers or redirect them to a specified URL when they are blocked by this policy.
- In Zero Trust ↗, go to Gateway > Firewall policies > HTTP.
- Select Add a policy to create a new policy, or choose the policy you want to customize and select Edit. You can only edit the block page for policies with a Block action.
- Under Configure policy settings, go to Modify Gateway block behavior.
- Choose your block behavior:
- Use account-level block setting: Use the global block page setting configured in your account settings. The global setting can be the default Gateway block page, an HTTP redirect, or a custom Gateway block page.
- Override account setting with URL redirect: Redirect users with a
307HTTP redirect to a URL you specify on a policy level.
- (Optional) If your account-level block page setting uses a custom Gateway block page, you can turn on Add an additional message to your custom block page when traffic matches this policy to add a custom message to your custom block page when traffic is blocked by this policy. This option will replace the Message field.
- Select Save policy.
Depending on your settings, Gateway will display a block page in your users' browsers or redirect them to a specified URL when they are blocked by this policy.
If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly installed a certificate on their devices. If a certificate is not installed or the installed certificate is invalid or expired, your user's browser may:
- Display an HTTP Response Code: 526 error page, indicating an insecure upstream.
- Close the connection and fail to display any pages.
For more information on fixing certificate issues, refer to Troubleshooting.
Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as iCloud Private Relay ↗ or Google Chrome IP Protection ↗. To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway.
To turn off iCloud Private Relay, refer to the Apple user guides for macOS ↗ or iOS ↗.
If an HTTP request that matches a block policy does not arrive at the same Cloudflare data center as its DNS query, Gateway will display the default block page instead of your custom block page.
This applies to DNS queries sent to any Gateway resolver endpoint, including those over IPv4, IPv6, and encrypted protocols like DoH (DNS over HTTPS) and DoT (DNS over TLS). If a DNS query is routed to a different Cloudflare data center than the corresponding HTTP request (for example, if DoH traffic is sent outside the WARP tunnel), Gateway cannot correlate the two requests and will display the default block page instead of your custom block page.
If the HTTP request comes from a different IP address than the DNS request, Gateway may not display the rule ID, custom message, or other fields on the block page. This can happen when a recursive DNS resolver's source IP address differs from the user device's IP address.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark