Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Global policies

Cloudflare Zero Trust applies a set of global policies to all accounts.

​​ DNS policies

Hostname*.nel.cloudflare.comallowAllows SNI domains for WARP registration.
Hostname*.cloudflareclient.comallowAllows Zero Trust client.
Hostname*.cloudflare-gateway.comallowAllows Gateway proxy with PAC files.,,,,,, and one.dash.cloudflare.comallowAllows Cloudflare Zero Trust services.
Hostname*.cloudflareaccess.comallowAllows Cloudflare Access applications.

​​ Network proxy policies

Hostname*.cloudflareaccess.comallowAllows Cloudflare Access applications.
Hostnamehelp.teams.cloudflare.comallowUsed by the WARP client to check if Gateway is on by inspecting the certificate and checking if it is properly installed on the client device.
Content CategoryChild AbuseblockBlocks child abuse materials.

​​ HTTP inspection policies

Hostname*.cloudflareclient.combypassEnsures users cannot accidentally block themselves from making account changes.
Hostname*.cloudflarestatus.combypassBypasses so users can reach the status page in case of a Gateway outage.
Hostname*.cloudflare-gateway.combypassEnsures requests to the DNS endpoint will not be inspected.
Hostname*.nel.cloudflare.combypassBypasses * for Cloudflare’s network error logging feature.
Hostnameapi.cloudflare.combypassBypasses Cloudflare’s API endpoint.
Hostnamedash.teams.cloudflare.combypassPrevents users from being locked out of the Zero Trust dashboard.
Hostname*.dash.cloudflare.combypassBypasses the Cloudflare dashboard and subdomains.
Hostnameblocked.teams.cloudflare.combypassPrevents an infinite loop on the Gateway block page. and help.cloudflarebrowser.comnoisolatePrevents isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues.
Hostname*.assets.browser.runbypassRequired for Remote Browser Isolation (RBI).
Hostname* and *.cloudflarebrowser.combypassRequired for RBI.
Hostname* and *.cloudflarebrowser.comisolateRequired for RBI.
Hostnamespeed.cloudflare.comnoscanAllows files transferred by the Cloudflare speed test.
Request HeaderAccept: text/htmlnoisolateEnsures only browsers will be isolated. Browsers issue an Accept: HTTP header that begins with text/html.
ApplicationOnline Certificate Status ProtocolbypassEnables OCSP stapling.