Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Set up Browser Isolation

Browser Isolation is enabled through Secure Web Gateway HTTP policies. By default, no traffic is isolated until you have added an Isolate policy to your HTTP policies.

1. Connect devices to Cloudflare

Setup instructions vary depending on how you want to connect your devices to Cloudflare. Refer to the links below to view the setup guide for each deployment option.

ConnectionModeDescription
Traffic and DNS modeIn-lineApply identity-based HTTP policies to traffic proxied through the Cloudflare One Client.
AccessIn-lineApply identity-based HTTP policies to Access applications that are rendered in a remote browser.
Gateway proxy endpointIn-lineApply non-identity HTTP policies to traffic forwarded to a proxy endpoint.
Cloudflare WANIn-lineApply non-identity HTTP policies to traffic connected through a GRE or IPsec tunnel (site-to-site encrypted connections to Cloudflare's network).
Clientless remote browserPrefixed URLRender web pages in a remote browser when users go to https://<your-team-name>.cloudflareaccess.com/browser/<URL>.

In-line mode means traffic is inspected as it flows through Gateway — users browse to websites using normal URLs, not a special Cloudflare prefix. Some in-line methods require device or network configuration, such as installing the Cloudflare One Client or configuring a PAC file. Prefixed URL mode requires users to visit a Cloudflare-hosted URL that wraps the target website.

2. Build an Isolation policy

To configure Browser Isolation policies:

  1. In Cloudflare One, go to Traffic policies > Firewall policies > HTTP.
  2. Select Add a policy and enter a name for the policy.
  3. Use the HTTP policy selectors and operators to specify the websites or content you want to isolate.
  4. For Action, choose either Isolate or Do not Isolate.
  5. (Optional) Configure settings for an Isolate policy.
  6. Select Create policy.

Next, verify that your policy is working.

3. Check if a web page is isolated

Users can see if a webpage is isolated by using one of the following methods:

  • Select the padlock in the address bar and check for the presence of a Cloudflare Root CA.
  • Right-click the web page and view the context menu options.

Normal browsing

  • A non-Cloudflare root certificate indicates that Cloudflare did not proxy this web page. The root certificate is the certificate authority (CA) that your browser trusts to verify the site's identity.

    Website does not present a Cloudflare root certificate

  • The right-click context menu will have all of the normal options.

    Normal right-click menu in browser

Isolated browsing

  • A Cloudflare root certificate indicates traffic was proxied through Cloudflare Gateway.

    Website presents a Cloudflare root certificate

  • The right-click context menu will be simplified.

    Simplified right-click menu in browser

Disconnect Browser Isolation

Cloudflare One Client users can temporarily disable remote browsing by disconnecting the Cloudflare One Client. Once the Cloudflare One Client is disconnected, a refresh will return the non-isolated page.