HTTP filtering

Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit. DNS filtering can only block or allow entire domains (for example, all of dropbox.com). HTTP filtering goes deeper — it inspects full URLs and request content, so you can block a specific page like dropbox.com/shared-folder, scan file uploads for sensitive data, or enforce acceptable use policies based on what users are actually doing on a site.

Note

For a more detailed guide to filtering HTTP requests and other traffic for your organization, refer to the Secure your Internet traffic and SaaS apps implementation guide.

1. Connect to Gateway

HTTP filtering requires three components working together: the WARP client routes device traffic through Cloudflare, a root certificate lets Gateway decrypt HTTPS traffic so it can inspect URLs and content, and the Gateway proxy enables Gateway to intercept and evaluate HTTP requests. Without the certificate, Gateway can only see the domain name — not the full URL or request body.

To filter HTTP requests from a device:

1. Install the Cloudflare root certificate on your device.
2. Install the WARP client on your device.
3. In the WARP client Settings, log in to your organization's Cloudflare One instance.
4. Enable the Gateway proxy for TCP. Optionally, enable the UDP proxy to also inspect QUIC traffic on port 443 — this covers HTTP/3, a newer protocol some browsers use by default.
5. To inspect HTTPS traffic, enable TLS decryption. TLS decryption allows Gateway to read encrypted requests. Without it, Gateway can see that a user visited example.com but not which specific page or what they uploaded.
6. (Optional) To scan file uploads and downloads for malware, enable anti-virus scanning.

2. Verify device connectivity

To verify your device is connected to Cloudflare One and traffic is flowing through Gateway:

1. In Cloudflare One ↗, go to Traffic policies > Traffic settings.
2. Under Log traffic activity, enable activity logging for all HTTP logs.
3. On your device, open a browser and go to any website.
4. In Cloudflare One, go to Insights > Logs > HTTP.
5. Make sure HTTP requests from your device appear.

After creating your first HTTP policy in the next step, you can test it by visiting a URL that your policy should block and confirming the request is denied.

3. Create your first HTTP policy

An HTTP policy defines which requests to match (for example, uploads to file-sharing sites) and the action to take (for example, block).

To create a new HTTP policy:

Dashboard

1. In Cloudflare One ↗, go to Traffic policies > Firewall policies.

2. In the HTTP tab, select Add a policy.

3. Name the policy.

4. Under Traffic, build a logical expression that defines the traffic you want to allow or block.

5. Choose an Action to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use embedded certificates may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:

   Selector	Operator	Value	Action
   Application	in	Do Not Inspect	Do Not Inspect

   Cloudflare also recommends adding a policy to block known threats such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:

   Selector	Operator	Value	Action
   Security Categories	in	All security risks	Block

6. Select Create policy.

API

1. Create an API token with the following permissions:

   Type	Item	Permission
   Account	Zero Trust	Edit

2. (Optional) Configure your API environment variables to include your account ID and API token.

3. Send a POST request to the Create a Zero Trust Gateway rule endpoint. For example, if you have configured TLS decryption, some applications that use embedded certificates may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications:

   Create a Zero Trust Gateway rule

   curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
     --request POST \
     --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
     --json '{
       "name": "Do not inspect applications",
       "description": "Bypass TLS decryption for unsupported applications",
       "precedence": 0,
       "enabled": true,
       "action": "off",
       "filters": [
           "http"
       ],
       "traffic": "any(app.type.ids[*] in {16})",
       "identity": "",
       "device_posture": ""
     }'

   {
      "success": true,
      "errors": [],
      "messages": []
   }

   The API will respond with a summary of the policy and the result of your request.

   Cloudflare also recommends adding a policy to block known threats such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence:

   Create a Zero Trust Gateway rule

   curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
     --request POST \
     --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
     --json '{
       "name": "Block known risks",
       "description": "Block all default Cloudflare HTTP security categories",
       "precedence": 0,
       "enabled": true,
       "action": "block",
       "filters": [
           "http"
       ],
       "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
       "identity": "",
       "device_posture": ""
     }'

For more information, refer to HTTP policies.

4. Add optional policies

Refer to our list of common HTTP policies for other policies you may want to create. Common additions include blocking file downloads by type, isolating risky websites in a remote browser, and adding Do Not Inspect rules for applications that break under TLS decryption (for example, apps that use certificate pinning to enforce their own certificates). Do Not Inspect rules tell Gateway to skip decryption for specific destinations so those applications continue to work.