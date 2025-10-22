Common policies
The following policies are commonly used to secure HTTP traffic.
Refer to the HTTP policies page for a comprehensive list of other selectors, operators, and actions.
Block attempts to reach sites by hostname or URL paths. Different approaches may be required based on how a site is organized.
Block all subdomains that use a host.
|Selector
|Operator
|Value
|Action
|Host
|matches regex
.*example\.com
|Block
Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as
reddit.com/r/gaming, without blocking
reddit.com.
|Selector
|Operator
|Value
|Action
|URL
|matches regex
/r/gaming
|Block
Block content categories which go against your organization's acceptable use policy.
|Selector
|Operator
|Value
|Action
|Content Categories
|in
|Questionable Content, Security Risks, Miscellaneous, Adult Themes, Gambling
|Block
To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
|Selector
|Operator
|Value
|Action
|Application
|in
|Artificial Intelligence
|Block
Configure access on a per user or group basis by adding identity-based conditions to your policies.
|Selector
|Operator
|Value
|Logic
|Action
|Application
|in
|Salesforce
|And
|Block
|User Group Names
|in
|Contractors
Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The TLS decryption performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy.
Gateway evaluates Do Not Inspect policies first. We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion.
|Selector
|Operator
|Value
|Action
|Application
|in
|Do Not Inspect
|Do Not Inspect
Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to Enforce device posture.
Perform an OS version check to ensure users are running at least a minimum version.
|Selector
|Operator
|Value
|Action
|Passed Device Posture Checks
|in
|Minimum OS version
|Allow
Perform a file check to ensure users have a certain file on their device.
Since the file path will be different for each operating system, you can configure a file check for each system and use the Or logical operator to only require one of the checks to pass.
|Selector
|Operator
|Value
|Logic
|Action
|Passed Device Posture Checks
|in
|macOS File Check
|Or
|Allow
|Passed Device Posture Checks
|in
|Linux File Check
Require users to re-authenticate after a certain amount of time has elapsed.
If you are using the Browser Isolation add-on, refer to our list of common Isolate policies.
When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption.
|Selector
|Operator
|Value
|Action
|Domain
|in
internal.example.com
|Do Not Inspect
Block the upload or download of files based on their type.
|Selector
|Operator
|Value
|Logic
|Action
|Upload File Types
|in
|Microsoft Office Word Document (docx)
|And
|Block
|Download File Types
|in
|PDF (pdf)
For more information on supported file types, refer to Download and Upload File Types.
Isolate shadow IT applications discovered by the Application Library that have not been reviewed yet or are currently under review, and block applications that are not approved by your organization.
For more information on reviewing shadow IT applications, refer to Review applications.
Isolate applications if their approval status is Unreviewed or In review.
|Selector
|Operator
|Value
|Logic
|Action
|Application Status
|is
|Unreviewed
|Or
|Isolate
|Application Status
|is
|In review
Block applications if their approval status is Unapproved.
|Selector
|Operator
|Value
|Action
|Application Status
|is
|Unapproved
|Block
To enable Gateway inspection for Google Drive traffic, you must add a Cloudflare certificate to Google Drive.
Block file downloads from Google Drive.
|Selector
|Operator
|Value
|Logic
|Action
|Application
|in
|Google Drive
|And
|Block
|URL Path & Query
|matches regex
.*(e=download|export).*
Block file uploads from Google Drive.
|Selector
|Operator
|Value
|Logic
|Action
|Application
|in
|Google Drive
|And
|Block
|Upload Mime Type
|matches regex
.*
|And
|Host
|is not
drivefrontend-pa.clients6.google.com
Block file downloads from Gmail.
|Selector
|Operator
|Value
|Logic
|Action
|Host
|is
mail-attachment.googleusercontent.com
|And
|Block
|URL Path & Query
|is
/attachment/u/0
Block use of Google Translate to translate entire webpages.
When translating a website, Google Translate proxies webpages with the
translate.goog domain. Your users may be able to use this service to bypass other Gateway policies. If you block
translate.goog, users will still be able to access other Google Translate features.
|Selector
|Operator
|Value
|Action
|Domain
|matches regex
^(.+\.)?translate\.goog$
|Block
Gateway does not inspect or log WebSocket ↗ traffic. Instead, Gateway will only log the HTTP details used to make the WebSocket connection, as well as network session information. To filter your WebSocket traffic, create a policy with the
101 HTTP response code.
|Selector
|Operator
|Value
|Action
|HTTP Response
|is
|101 SWITCHING_PROTOCOLS
|Allow
