HTTP policies
HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and optionally UDP) traffic sent over ports 80 and 443.
An HTTP policy consists of an Action as well as a logical expression that determines the scope of the policy. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field. You can use And and Or logical operators to evaluate multiple conditions.
If a condition in an expression joins a query attribute (such as Source IP) and a response attribute (such as Resolved IP), then the condition will be evaluated when the response is received.
Actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy.
API value: allow
Available selectors
Traffic
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- DLP Profile
- Domain
- Download File Types
- Download Mime Type
- Host
- HTTP Method
- HTTP Response
- Proxy Endpoint
- Security Risks
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Upload File Types
- Upload Mime Type
- URL
- URL Path
- URL Path & Query
- URL Query
- Virtual Network
Identity
Device Posture
The Allow action allows outbound traffic to reach destinations you specify within the Selectors and Value fields. For example, the following configuration allows traffic to reach all websites we categorize as belonging to the Education content category:
Selector | Operator | Value | Action |
---|---|---|---|
Content Categories | in | Education | Allow |
The Untrusted certificate action determines how to handle insecure requests.
Option | Action |
---|---|
Error | Display Gateway error page. Matches the default behavior when no action is configured. |
Block | Display block page as set in Zero Trust. |
Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. To use this feature, deploy a custom root certificate. For more information on what statuses are bypassed, refer to the troubleshooting FAQ. |
API value: block
Available selectors
Traffic
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- DLP Profile
- Domain
- Download File Types
- Download Mime Type
- Host
- HTTP Method
- HTTP Response
- Proxy Endpoint
- Security Risks
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Upload File Types
- Upload Mime Type
- URL
- URL Path
- URL Path & Query
- URL Query
- Virtual Network
Identity
Device Posture
The Block action blocks outbound traffic from reaching destinations you specify within the Selectors and Value fields. For example, the following configuration blocks users from being able to upload any file type to Google Drive:
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Application | in | Google Drive | And | Block |
Upload Mime Type | matches regex | .* |
Feature availability
WARP modes | Zero Trust plans ↗ |
---|---|
| Enterprise |
System | Availability | Minimum WARP version |
---|---|---|
Windows | ✅ | 2024.1.159.0 |
macOS | ✅ | 2024.1.160.0 |
Linux | ❌ | |
iOS | ✅ | 1.7 |
Android | ✅ | 1.4 |
ChromeOS | ✅ | 1.4 |
Turn on Display block notification for WARP client to display notifications for Gateway block events. Blocked users will receive an operating system notification from the WARP client with a custom message you set. If you do not set a custom message, the WARP client will display a default message. Custom messages must be 100 characters or less. WARP will only display one notification per minute.
Upon selecting the notification, WARP will direct your users to a block page. Optionally, you can direct users to a custom URL, such as an internal support form.
Your device may not display block notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the macOS documentation ↗.
API value: isolate
Available selectors
Traffic
- Application
- Content Categories
- Domain
- Host
- HTTP Method
- Security Risks
- Source Continent IP Geolocation
- Source Country IP Geolocation
- URL
- URL Path
- URL Path & Query
- URL Query
Identity
Device Posture
The Isolate action serves matched traffic to users via Cloudflare Browser Isolation. For more information on this action, refer to Isolation policies.
API value: noisolate
Available selectors
Traffic
- Application
- Content Categories
- Domain
- Host
- HTTP Method
- Security Risks
- Source Continent IP Geolocation
- Source Country IP Geolocation
- URL
- URL Path
- URL Path & Query
- URL Query
Identity
Device Posture
The Do Not Isolate action turns off browser isolation for matched traffic. For more information on this action, refer to Isolation policies.
API value: off
Available selectors
Traffic
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Domain
- Host
- Proxy Endpoint
- Security Risks
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- Virtual Network
Identity
Device Posture
Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indicator (SNI) in the TLS header. When accessing a Do Not Inspect site in the browser, your browser may display a Your connection is not private warning, which you can proceed through to connect. For more information about applications which may require a Do Not Inspect policy, refer to TLS decryption limitations.
All Do Not Inspect rules are evaluated first, before any Allow or Block rules, to determine if inspection should occur. For more information, refer to Order of enforcement.
API value: noscan
Available selectors
Traffic
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Domain
- Host
- HTTP Method
- Proxy Endpoint
- Security Risks
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- URL
- URL Path
- URL Path & Query
- URL Query
- Virtual Network
Identity
Device Posture
When an admin enables AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning by leveraging the HTTP rules. For example, to prevent AV scanning of files uploaded to or downloaded from example.com
, an admin would configure the following rule:
Selector | Operator | Value | Action |
---|---|---|---|
Hostname | matches regex | .*example.com | Do Not Scan |
When a Do Not Scan rule matches, nothing is scanned, regardless of file size or whether the file type is supported or not.
API value: quarantine
Available selectors
Traffic
- Application
- Content Categories
- Destination Continent IP Geolocation
- Destination Country IP Geolocation
- Destination IP
- Domain
- Host
- HTTP Method
- Proxy Endpoint
- Security Risks
- Source Continent IP Geolocation
- Source Country IP Geolocation
- Source Internal IP
- Source IP
- URL
- URL Path
- URL Path & Query
- URL Query
- Virtual Network
Identity
Device Posture
The Quarantine action sends files in matching requests to a file sandbox to scan for malware. Gateway will only quarantine files not previously seen in the file sandbox. For more information on this action, refer to File sandboxing.
In Sandbox file types, you can select which file types to quarantine with your policy. You must select at least one file type.
File sandboxing supports scanning the following file types:
Supported sandboxing file types
.exe
.pdf
.doc
.docm
.docx
.rtf
.ppt
.pptx
.xls
.xlsm
.xlsx
.zip
.rar
Gateway matches HTTP traffic against the following selectors, or criteria:
You can apply HTTP policies to a growing list of popular web applications. Refer to Application and app types for more information.
UI name | API example | Evaluation phase |
---|---|---|
Application | any(app.ids[*] in {505}) | Before DNS resolution |
UI name | API example |
---|---|
Content Categories | not(any(http.conn.content_category[*] in {1})) |
For more information, refer to the list of content categories.
The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the Value field:
Continent | Code |
---|---|
Africa | AF |
Antarctica | AN |
Asia | AS |
Europe | EU |
North America | NA |
Oceania | OC |
South America | SA |
Tor network | T1 |
UI name | API example |
---|---|
Destination Continent IP Geolocation | http.dst_ip.geo.continent == "EU" |
The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its ISO 3166-1 Alpha 2 code ↗ in the Value field.
UI name | API example |
---|---|
Destination Country IP Geolocation | http.dst_ip.geo.country == "RU" |
UI name | API example |
---|---|
Destination IP | http.conn.dst_ip == "10.0.0.0/8" |
With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way.
For more information on device posture checks, refer to Device posture.
UI name | API example |
---|---|
Passed Device Posture Checks | any(device_posture.checks.failed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}) , any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})" |
Use this selector to match against a domain and all subdomains -- for example, if you want to block example.com
and subdomains such as www.example.com
.
UI name | API example |
---|---|
Domain | any(http.conn.domains[*] == "example.com") |
These selectors will scan file signatures in the HTTP body. You can select from file categories or specific file types, such as executables, archives and compressed files, Microsoft 365/Office documents, and Adobe files:
Supported file types
Compressed
- 7-Zip archive (
.7z
) bzip2
archive (.bz2
)- GNU Gzip archive (
.gz
) - Microsoft Cabinet file (
.cab
) - Microsoft Compiled HTML Help file (
.chm
) - RAR archive (
.rar
) xz
archive (.xz
)- ZIP archive (
.zip
)
Documents
- Microsoft Office/365 files
- Word document (
.doc
,.docx
,.docm
) - Excel spreadsheet (
.xls
,.xlsx
,.xlsm
) - PowerPoint presentation (
.ppt
,.pptx
,.pptm
)
- Word document (
- PDF document (
.pdf
)
Executable
- Dynamic-link library (DLL) file (
.dll
) - Executable and Linkable Format (ELF) file (
.elf
) - Java archive (JAR) package (
.jar
) - Java class file (
.class
) - Mach object (Mach-O) file (
.macho
) - Microsoft Windows installer (
.msi
) - Microsoft Windows executable (
.exe
)
Image
- Adobe Photoshop document (
.psd
) - Bitmap image (
.bmp
) - GIF image (
.gif
) - Icon file (
.ico
) - JPEG image (
.jpg
,.jpeg
) - PNG image (
.png
) - WebP image (
.webp
)
Other
- BitTorrent file (
.torrent
)
UI name | API example |
---|---|
Download File Types | any(http.download.file.types[*] in {"docx" "7z"}) |
UI name | API example |
---|---|
Upload File Types | any(http.upload.file.types[*] in {"compressed"}) |
These selectors depend on the Content-Type
header being present in the request (for uploads) or response (for downloads).
UI name | API example |
---|---|
Download Mime Type | http.download.mime == "image/png\" |
UI name | API example |
---|---|
Upload Mime Type | http.upload.mime == "image/png\" |
Scans HTTP traffic for the presence of social security numbers and other PII. You must configure the DLP Profile before you can use this selector in your policy. For more information, refer to our DLP Profile documentation.
Use this selector to match only the hostname specified -- for example, if you want to block test.example.com
but not example.com
or www.test.example.com
.
UI name | API example |
---|---|
Host | http.conn.hostname == "test.example.com" |
UI name | API example |
---|---|
HTTP Method | http.request.method == "GET" |
UI name | API example |
---|---|
URL | http.response.status_code == "200" |
The proxy server where your browser forwards HTTP traffic.
UI name | API example |
---|---|
Proxy Endpoint | proxy.endpoint == "3ele0ss56t.proxy.cloudflare-gateway.com" |
UI name | API example |
---|---|
Security Risks | any(http.conn.security_category[*] in {1}) |
For more information, refer to the list of security categories.
The continent of the user making the request.
Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a continent, enter its two-letter code into the Value field:
Continent | Code |
---|---|
Africa | AF |
Antarctica | AN |
Asia | AS |
Europe | EU |
North America | NA |
Oceania | OC |
South America | SA |
Tor network | T1 |
UI name | API example | Evaluation phase |
---|---|---|
Source Continent IP Geolocation | http.src_ip.geo.continent == "North America" | Before DNS resolution |
The country of the user making the request.
Geolocation is determined from the device's public IP address (typically assigned by the user's ISP). To specify a country, enter its ISO 3166-1 Alpha-2 code ↗ in the Value field.
UI name | API example | Evaluation phase |
---|---|---|
Source Country IP Geolocation | http.src_ip.geo.country == "RU" | Before DNS resolution |
Use this selector to apply HTTP policies to a private IP address, assigned by a user's local network, that requests arrive to Gateway from. This selector will only apply to users connected through a Magic GRE or IPSec tunnel.
UI name | API example |
---|---|
Source Internal IP | http.conn.internal_src_ip == "192.168.86.0/27" |
UI name | API example |
---|---|
Source IP | http.conn.src_ip == "10.0.0.0/8" |
Gateway ignores trailing forward slashes (/
) in URLs. For example, https://example.com
and https://example.com/
will count as the same URL and may return a duplicate error.
UI name | API example |
---|---|
URL | not(any(http.request.uri.content_category[*] in {1})) |
UI name | API example |
---|---|
URL Path | http.request.uri.path == \"/foo/bar\" |
UI name | API example |
---|---|
URL Path and Query | http.request.uri.path_and_query == \"/foo/bar?ab%242=%2A342\" |
UI name | API example |
---|---|
URL Query | not(http.request.uri in $%s) |
Identity-based selectors include:
- SAML Attributes
- User Email
- User Group Emails
- User Group IDs
- User Group Names
- User Name
To use identity-based selectors, enable Gateway with WARP in the Zero Trust WARP client and enroll your user in your organization. For more information, refer to Identity-based policies.
Use this selector to match all traffic routed through a specific Tunnel Virtual Network via the WARP client.
UI name | API example |
---|---|
Virtual Network | http.conn.vnet_id == "957fc748-591a-e96s-a15d-1j90204a7923" |
Comparison operators are the way Gateway matches traffic to a selector. When you choose a Selector in the dashboard policy builder, the Operator dropdown menu will display the available options for that selector.
Operator | Meaning |
---|---|
is | equals the defined value |
is not | does not equal the defined value |
in | matches at least one of the defined values |
not in | does not match any of the defined values |
in list | in a pre-defined list of values |
not in list | not in a pre-defined list of values |
matches regex | regex evaluates to true |
does not match regex | regex evaluates to false |
greater than | exceeds the defined number |
greater than or equal to | exceeds or equals the defined number |
less than | below the defined number |
less than or equal to | below or equals the defined number |
In the Value field, you can input a single value when using an equality comparison operator (such as is) or multiple values when using a containment comparison operator (such as in). Additionally, you can use regular expressions (or regex) to specify a range of values for supported selectors.
Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for Wildcards. To evaluate if your regex matches, you can use Rustexp ↗.
If you want to match multiple values, you can use the pipe symbol (|
) as an OR operator. In Gateway, you do not need to use an escape character (\
) before the pipe symbol. For example, the following policy blocks requests to two hostnames if either appears in a request header:
Selector | Operator | Value | Action |
---|---|---|---|
Host | matches regex | .\*whispersystems.org|.\*signal.org | Block |
In addition to regular expressions, you can use logical operators to match multiple values.
To evaluate multiple conditions in an expression, select the And logical operator. These expressions can be compared further with the Or logical operator.
Operator | Meaning |
---|---|
And | match all of the conditions in the expression |
Or | match any of the conditions in the expression |
The Or operator will only work with conditions in the same expression group. For example, you cannot compare conditions in Traffic with conditions in Identity or Device Posture.
If a condition in an expression joins a request attribute (such as Source IP) and a response attribute (such as a DLP Profile), then the condition will be evaluated when the response is received.