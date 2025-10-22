Isolation policies
With Browser Isolation, you can define policies to dynamically isolate websites based on identity, security threats, or content.
When an HTTP policy applies the Isolate action, the user's web browser is transparently served an HTML compatible remote browser client. Isolation policies can be applied to requests that include
Accept: text/html*. This allows Browser Isolation policies to co-exist with API traffic.
The following example enables isolation for all web traffic:
|Selector
|Operator
|Value
|Action
|Host
|matches regex
.*
|Isolate
If instead you need to isolate specific pages, you can list the domains for which you would like to isolate traffic:
|Selector
|Operator
|Value
|Action
|Domain
|In
example.com,
example.net
|Isolate
You can choose to disable isolation for certain destinations or categories. The following configuration disables isolation for traffic directed to
example.com:
|Selector
|Operator
|Value
|Action
|Host
|In
example.com
|Do Not Isolate
The following optional settings appear in the Gateway HTTP policy builder when you select the Isolate action. Configure these settings to prevent data loss ↗ when users interact with untrusted websites in the remote browser.
flowchart LR subgraph remotebrowser[Remote browser] siteA["Isolated website"]--Data-->remoteclip["Remote clipboard"] end subgraph client[Client] localclip["Local clipboard"] end remoteclip-->localclip
- Allow: (Default) Users can copy content from an isolated website to their local clipboard.
- Allow only within isolated browser: Users can only copy content from an isolated website to the remote clipboard. Users cannot copy content out of the remote browser to the local clipboard. You can use this setting alongside Paste (from client to remote): Allow only within isolated browser to only allow copy-pasting between isolated websites.
- Do not allow: Prohibits users from copying content from an isolated website.
flowchart LR subgraph client[Client] localclip["Local clipboard"] end subgraph remotebrowser[Remote browser] remoteclip["Remote clipboard"]-->siteA["Isolated website"] end localclip--Data-->remoteclip
- Allow: (Default) Users can paste content from their local clipboard to an isolated website.
- Allow only within isolated browser: Users can only paste content from the remote clipboard to an isolated website. Users cannot paste content from their local clipboard to the remote browser. You can use this setting alongside Copy (from remote to client): Allow only within isolated browser to only allow copy-pasting between isolated websites.
- Do not allow: Prohibits users from pasting content into an isolated website.
- Allow: (Default) User can download files from an isolated website to their local machine.
- Do not allow: Prohibits users from downloading files from an isolated website to their local machine.
- View in remote browser: Users can open and view files in an isolated environment.
- Allow: (Default) Users can upload files from their local machine into an isolated website.
- Do not allow: Prohibits users from uploading files from their local machine into an isolated website.
- Allow: (Default) Users can perform keyboard inputs into an isolated website.
- Do not allow: Prohibits users from performing keyboard inputs into an isolated website.
- Allow: (Default) Users can print isolated web pages to their local machine.
- Do not allow: Prohibits users from printing isolated web pages to their local machine.
With custom block dialogs, you can host a custom block page when users are blocked from taking specific actions, like copying, pasting, downloading, uploading, performing keyboard inputs, or printing, within an isolated browser session.
Administrators can configure custom block dialogs to explain the reason for the block, and guide the users on how to resolve their issue using the provided query parameters:
action: copy, paste, download, upload, perform keyboard inputs, and print
cf_colo: for example,
sea01
client_url: for example,
https://example.com
policy_id: 32-character id
rbi_debug_id: 32-character id
user_id: 32-character id
Custom block dialogs are still in beta. Contact your account team to start using custom block dialogs.
Isolate security threats such as malware and phishing.
|Selector
|Operator
|Value
|Action
|Security Categories
|in
|All security risks
|Isolate
At least one of the following token permissions
is required:
Required API token permissions
Zero Trust Write
Isolate high risk content categories such as newly registered domains.
|Selector
|Operator
|Value
|Action
|Content Categories
|in
|Security Risks
|Isolate
At least one of the following token permissions
is required:
Required API token permissions
Zero Trust Write
Isolate news and media sites, which are targets for malvertising attacks.
|Selector
|Operator
|Value
|Action
|Content Categories
|in
|News and Media
|Isolate
At least one of the following token permissions
is required:
Required API token permissions
Zero Trust Write
Isolate content that has not been categorized by Cloudflare Radar.
|Selector
|Operator
|Value
|Action
|Content Categories
|not in
|All content categories
|Isolate
At least one of the following token permissions
is required:
Required API token permissions
Zero Trust Write
Isolate the use of ChatGPT.
|Selector
|Operator
|Value
|Action
|Application
|in
|ChatGPT
|Isolate
In Configure policy settings, you can customize restrictions for ChatGPT. For example, to prevent your users from inputting sensitive information, you can select Disable copy / paste and Disable file uploads.
At least one of the following token permissions
is required:
Required API token permissions
Zero Trust Write
