Cloudflare Docs
Privacy Gateway
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Get started

Privacy Gateway implementation consists of three main parts:

  1. Application Gateway Server/backend configuration (operated by you).
  2. Client configuration (operated by you).
  3. Connection to a Privacy Gateway Relay Server (operated by Cloudflare).

​​ Before you begin

Privacy Gateway is currently in closed beta. If you are interested, contact us.

​​ Step 1 - Configure your server

As a customer of the Privacy Gateway, you also need to add server support for OHTTP by implementing an application gateway server. The application gateway is responsible for decrypting incoming requests, forwarding the inner requests to their destination, and encrypting the corresponding response back to the client.

The server implementation will handle incoming requests and produce responses, and it will also advertise its public key configuration for clients to access. The public key configuration is generated securely and made available via an API. Refer to the README for details about configuration.

Applications can also implement this functionality themselves. Details about public key configuration, HTTP message encryption and decryption, and server-specific details can be found in the OHTTP specification.

​​ Resources

Use the following resources for help with server configuration:

​​ Step 2 - Configure your client

As a customer of the Privacy Gateway, you need to set up client-side support for the gateway. Clients are responsible for encrypting requests, sending them to the Cloudflare Privacy Gateway, and then decrypting the corresponding responses.

Additionally, app developers need to configure the client to fetch or otherwise discover the gateway’s public key configuration. How this is done depends on how the gateway makes its public key configuration available. If you need help with this configuration, contact us.

​​ Resources

Use the following resources for help with client configuration:

​​ Step 3 - Review your application

After you have configured your client and server, review your application to make sure you are only sending intended data to Cloudflare and the application backend. In particular, application data should not contain anything unique to an end-user, as this would invalidate the benefits that OHTTP provides.

  • Applications should scrub identifying user data from requests forwarded through the Privacy Gateway. This includes, for example, names, email addresses, phone numbers, etc.
  • Applications should encourage users to disable crash reporting when using Privacy Gateway. Crash reports can contain sensitive user information and data, including email addresses.
  • Where possible, application data should be encrypted on the client device with a key known only to the client. For example, iOS generally has good support for client-side encryption (and key synchronization via the KeyChain). Android likely has similar features available.

​​ Step 4 - Relay requests through Cloudflare

Before sending any requests, you need to first set up your account with Cloudflare. That requires contacting us and providing the URL of your application gateway server.

Then, make sure you are forwarding requests to a mutually agreed URL with the following conventions.