Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Isolate self-hosted application

With Access policies, you can require users to open self-hosted applications in a secure remote browser. Because the remote browser is directly integrated into our Secure Web Gateway platform, HTTP policies can be applied to isolated applications without needing to install the WARP client. This allows you to distribute internal applications to unmanaged users while retaining control over sensitive data.

​​ Prerequisites

Your browser must allow third-party cookies on the application domain.

​​ Enable Browser Isolation

  1. In Zero Trust, go to Settings > Browser Isolation.
  2. Enable Clientless Web Isolation.
  1. Next, go to Access > Applications.
  2. Choose a self-hosted application and select Configure.
  3. Choose an Allow policy and select Configure.
  4. Under Additional settings, turn on Isolate application.
  5. Save the policy.

Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser.

You can optionally add a second Allow policy for users on managed devices who do not require isolation.

​​ Policies for isolated applications

Traffic to the isolated Access application is filtered by your Gateway HTTP policies. Useful policies include:

For example, if your application is hosted on, the following policy blocks users from uploading and downloading credit card numbers within the remote browser:

Selector Operator Value Logic Action
Domain in And Block
DLP Profile in Financial Information

​​ Product compatibility

Refer to this page for a list of products that are incompatible with the Isolate application feature.