Common HTTP policies
The following policies are commonly used to secure HTTP traffic.
Refer to the
for a comprehensive list of other selectors, operators, and actions. HTTP policies page
Block attempts to reach sites by hostname or URL paths. Different approaches may be required based on how a site is organized.
Block sites by hostname
Block all subdomains that use a host.
Selector Operator Value Action Host matches regex
Block sites by URL
Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as
reddit.com/r/gaming, without blocking
Selector Operator Value Action URL matches regex
Block content categories
Block content categories which go against your organization’s acceptable use policy.
Selector Operator Value Action Content categories in Adult Themes, Gambling Block
Block unauthorized applications
To minimize the risk of
, some organizations choose to limit their users’ access to certain web-based tools and applications. For example, the following policy blocks AI assistants: shadow IT
Selector Operator Value Action Application in
Block After seven days, view your and block additional applications based on what your users are accessing. shadow IT analytics
Check user identity
Configure access on a per user or group basis by adding
to your policies. identity-based conditions
Selector Operator Value Logic Action Application in Salesforce And Block User Group Names in
Skip inspection for groups of applications
Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The
performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy. TLS inspection
. We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion. evaluates Do Not Inspect policies first
Selector Operator Value Action Application in Do Not Inspect Do Not Inspect You can select either individual applications or the entire Do Not Inspect set, which will update as new applications are added.
Check device posture
Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to
. Enforce device posture
Enforce a minimum OS version
to ensure users are running at least a minimum version. OS version check
Selector Operator Value Action Passed Device Posture Checks in
Minimum OS version
Check for a specific file
to ensure users have a certain file on their system. file check
Since the file path will be different for each operating system, you can configure a file check for each system and use the
Or logical operator to only require one of the checks to pass.
Selector Operator Value Logic Action Passed Device Posture Checks in
macOS File Check
Or Allow Passed Device Posture Checks in
Linux File Check
Enforce session duration after a certain amount of time has elapsed. Require users to re-authenticate
Isolate high risk sites in remote browser
If you are using the
, refer to our list of Browser Isolation add-on . common Isolate policies
Bypass inspection for self-signed certificates
When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption.
Selector Operator Value Action Domain in
Do Not Inspect
Block file types
Block the upload or download of files based on their type.
Selector Operator Value Logic Action Upload File Type in Microsoft Office Word Document (docx) And Block Download File Type in PDF (pdf)
Block Google services
To enable Gateway inspection for Google Drive traffic, you must
. add the Cloudflare certificate to Google Drive
Block Google Drive uploads
Block file uploads to Google Drive.
Selector Operator Value Logic Action Application in Google Drive And Block Upload Mime Type matches regex
Block Google Drive downloads
Block file downloads from Google Drive.
Selector Operator Value Logic Action Application in Google Drive And Block URL Path & Query matches regex
Block Gmail downloads
Block file downloads from Gmail.
Selector Operator Value Logic Action Host is
And Block URL Path & Query is