Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Global policies

Cloudflare Zero Trust applies a set of global policies to all accounts.

​​ DNS policies

Criteria Value Action Description
Hostname * allow Allows SNI domains for WARP registration.
Hostname * allow Allows Zero Trust client.
Hostname * allow Allows Gateway proxy with PAC files.
Hostname,,,,,, and allow Allows Cloudflare Zero Trust services.
Hostname * allow Allows Cloudflare Access applications.

​​ Network proxy policies

Criteria Value Action Description
Hostname * allow Allows Cloudflare Access applications.
Hostname allow Used by the WARP client to check if Gateway is on by inspecting the certificate and checking if it is properly installed on the client device.
Content Category Child Abuse block Blocks child abuse materials.

​​ HTTP inspection policies

Criteria Value Action Description
Hostname * bypass Ensures users cannot accidentally block themselves from making account changes.
Hostname * bypass Bypasses so users can reach the status page in case of a Gateway outage.
Hostname * bypass Ensures requests to the DNS endpoint will not be inspected.
Hostname * bypass Bypasses * for Cloudflare’s network error logging feature.
Hostname bypass Bypasses Cloudflare’s API endpoint.
Hostname bypass Prevents users from being locked out of the Zero Trust dashboard.
Hostname * bypass Bypasses the Cloudflare dashboard and subdomains.
Hostname bypass Prevents an infinite loop on the Gateway block page.
Hostname and noisolate Prevents isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues.
Hostname * bypass Required for Remote Browser Isolation (RBI).
Hostname * and * bypass Required for RBI.
Hostname * and * isolate Required for RBI.
Hostname noscan Allows files transferred by the Cloudflare speed test.
Request Header Accept: text/html noisolate Ensures only browsers will be isolated. Browsers issue an Accept: HTTP header that begins with text/html.
Application Online Certificate Status Protocol bypass Enables OCSP stapling.