Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit.

Note For a more detailed guide to filtering HTTP requests and other traffic for your organization, refer to the Secure your Internet traffic and SaaS apps implementation guide.

1. Connect to Gateway

To filter HTTP requests from a device:

2. Verify device connectivity

To verify your device is connected to Zero Trust:

In Zero Trust ↗ , go to Settings > Network. Under Gateway logging, enable activity logging for all HTTP logs. On your device, open a browser and go to any website. In Zero Trust, go to Logs > Gateway > HTTP. Make sure HTTP requests from your device appear.

3. Create your first HTTP policy

To create a new HTTP policy:

Dashboard

API In Zero Trust ↗, go to Gateway > Firewall policies. In the HTTP tab, select Add a policy. Name the policy. Under Traffic, build a logical expression that defines the traffic you want to allow or block. Choose an Action to take when traffic matches the logical expression. For example, if you have configured TLS decryption, some applications that use embedded certificates may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: Selector Operator Value Action Application in Do Not Inspect Do Not Inspect Cloudflare also recommends adding a policy to block known threats such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: Selector Operator Value Action Security Categories in All security risks Block Select Create policy. Create an API token with the following permissions: Type Item Permission Account Zero Trust Edit (Optional) Configure your API environment variables to include your account ID and API token. Send a POST request to the Create a Zero Trust Gateway rule endpoint. For example, if you have configured TLS decryption, some applications that use embedded certificates may not support HTTP inspection, such as some Google products. You can create a policy to bypass inspection for these applications: Required API token permissions At least one of the following token permissions is required: Zero Trust Write Create a Zero Trust Gateway rule curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --json '{ "name": "Do not inspect applications", "description": "Bypass TLS decryption for unsupported applications", "precedence": 0, "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {16})", "identity": "", "device_posture": "" }' { "success" : true , "errors" : [], "messages" : [] } The API will respond with a summary of the policy and the result of your request. Cloudflare also recommends adding a policy to block known threats such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence: Required API token permissions At least one of the following token permissions is required: Zero Trust Write Create a Zero Trust Gateway rule curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /gateway/rules" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --json '{ "name": "Block known risks", "description": "Block all default Cloudflare HTTP security categories", "precedence": 0, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.uri.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": "", "device_posture": "" }'

For more information, refer to HTTP policies.

4. Add optional policies

Refer to our list of common HTTP policies for other policies you may want to create.