Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

HTTP policies

HTTP policies allow you to intercept all HTTP and HTTPS requests and either block, allow, or override specific elements such as websites, IP addresses, and file types. HTTP policies operate on Layer 7 for all TCP (and optionally UDP) traffic sent over ports 80 and 443.

An HTTP policy consists of an Action as well as a logical expression that determines the scope of the policy. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field. You can use And and Or logical operators to evaluate multiple conditions.

If a condition in an expression joins a query attribute (such as Source IP) and a response attribute (such as Resolved IP), then the condition will be evaluated when the response is received.

​​ Actions

Actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy.

​​ Allow

API value: allow

The Allow action allows outbound traffic to reach destinations you specify within the Selectors and Value fields. For example, the following configuration allows traffic to reach all websites we categorize as belonging to the Education content category:

Selector Operator Value Action
Content Categories in Education Allow

​​ Untrusted certificates

The Untrusted certificate action determines how to handle insecure requests.

Option Action
Error Display Gateway error page. Matches the default behavior when no action is configured.
Block Display block page as set in Zero Trust.
Pass through Bypass insecure connection warnings and seamlessly connect to the upstream. To use this feature, deploy a custom root certificate. For more information on what statuses are bypassed, refer to the troubleshooting FAQ.

​​ Block

API value: block

The Block action blocks outbound traffic from reaching destinations you specify within the Selectors and Value fields. For example, the following configuration blocks users from being able to upload any file type to Google Drive:

Selector Operator Value Logic Action
Application in Google Drive And Block
Upload Mime Type matches regex .*

​​ Isolate

API value: isolate

For more information on this action, refer to the documentation on Browser Isolation policies.

​​ Do Not Isolate

API value: noisolate

For more information on this action, refer to the documentation on Browser Isolation policies.

​​ Do Not Inspect

API value: off

Do Not Inspect lets you bypass certain elements from inspection. To prevent Gateway from decrypting and inspecting HTTPS traffic, your policy must match against the Server Name Indicator (SNI) in the TLS header. Learn more about applications which may require a Do Not Inspect policy.

All Do Not Inspect rules are evaluated first, before any Allow or Block rules, to determine if decryption should occur. Learn more about the order of enforcement for HTTP policies.

​​ Do Not Scan

API value: noscan

When an admin enables AV scanning for uploads and/or downloads, Gateway will scan every supported file. Admins can selectively choose to disable scanning by leveraging the HTTP rules. For example, to prevent AV scanning of files uploaded to or downloaded from example.com, an admin would configure the following rule:

Selector Operator Value Action
Hostname Matches Regex .*example.com Do Not Scan

When a Do Not Scan rule matches, nothing is scanned, regardless of file size or whether the file type is supported or not.

​​ Selectors

Gateway matches HTTP traffic against the following selectors, or criteria:

​​ Application

You can apply HTTP policies to a growing list of popular web applications. Refer to Application and app types for more information.

UI name API example Evaluation phase
Application any(app.ids[*] in {505}) Before DNS resolution

​​ Content Categories

UI name API example
Content Categories not(any(http.request.uri.content_category[*] in {1}))

For more information, refer to our list of content categories.

​​ Destination Continent

The continent where the request is destined. Geolocation is determined from the target IP address. To specify a continent, enter its two-letter code into the Value field:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
UI name API example
Destination Continent IP Geolocation http.dst_ip.geo.continent == "EU"

​​ Destination Country

The country that the request is destined for. Geolocation is determined from the target IP address. To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.

UI name API example
Destination Country IP Geolocation http.dst_ip.geo.country == "RU"

​​ Destination IP

UI name API example
Destination IP http.dst.ip == "10.0.0.0/8"

​​ Domain

Use this selector to match against a domain and all subdomains — for example, if you want to block example.com and subdomains such as www.example.com.

UI name API example
Domain any(http.request.domains[*] == "example.com")

​​ Download and Upload File Type

These selectors will scan file signatures in the HTTP body. Supported file types include Microsoft Office documents, PDF files, and ZIP files.

UI name API example
Download File Type http.download.file.type in {\"PDF\" \"ZIP\" \"XLXS\"}
UI name API example
Upload File Type http.upload.file.type in {\"PDF\" \"ZIP\" \"XLXS\"}

​​ Download and Upload Mime Type

These selectors depend on the Content-Type header being present in the request (for uploads) or response (for downloads).

UI name API example
Download Mime Type http.download.mime == "image/png\"
UI name API example
Upload Mime Type http.upload.mime == "image/png\"

​​ DLP Profile

Scans HTTP traffic for the presence of social security numbers and other PII. You must configure the DLP Profile before you can use this selector in your policy. For more information, refer to our DLP Profile documentation.

​​ Host

Use this selector to match only the hostname specified — for example, if you want to block test.example.com but not example.com or www.test.example.com.

UI name API example
Host http.request.host == "test.example.com"

​​ HTTP Method

UI name API example
HTTP Method http.request.method == "GET"

​​ HTTP Response

UI name API example
URL http.response.status_code == "200"

​​ Device Posture

With the Device Posture selector, admins can use signals from end-user devices to secure access to their internal and external resources. For example, a security admin can choose to limit all access to internal applications based on whether specific software is installed on a device and/or if the device or software are configured in a particular way.

UI name API example
Passed Device Posture Checks any(device_posture.checks.failed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"})"

​​ Security Risks

UI name API example
Security Risks any(http.request.uri.category[*] in {1})

For more information, refer to our list of security categories.

​​ Source Continent

The continent of the user making the request.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a continent, enter its two-letter code into the Value field:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
UI name API example Evaluation phase
Source Continent IP Geolocation http.src_ip.geo.continent == "North America" Before DNS resolution

​​ Source Country

The country of the user making the request.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.

UI name API example Evaluation phase
Source Country IP Geolocation http.src_ip.geo.country == "RU" Before DNS resolution

​​ Source Internal IP

Use this selector to apply HTTP policies to a private IP address, assigned by a user’s local network, that requests arrive to Gateway from. This selector will only apply to users connected through a Magic GRE or IPSec tunnel.

UI name API example
Source Internal IP http.src.internal_src_ip == "192.168.86.0/27"

​​ Source IP

UI name API example
Source IP http.src.ip == "10.0.0.0/8"

​​ URL

UI name API example
URL not(any(http.request.uri.content_category[*] in {1}))

​​ URL Path

UI name API example
URL Path http.request.uri.path == \"/foo/bar\"

​​ URL Path and Query

UI name API example
URL Path and Query http.request.uri.path_and_query == \"/foo/bar?ab%242=%2A342\"

​​ URL Query

UI name API example
URL Query not(http.request.uri in $%s)

​​ Users

The User, User Group, and SAML Attributes selectors require Gateway with WARP mode to be enabled in the Zero Trust WARP client, and the user to be enrolled in the organization via the WARP client. For more information on identity-based selectors, refer to the Identity-based policies page.

​​ Comparison operators

Comparison operators are the way Gateway matches traffic to a selector. When you choose a Selector in the dashboard policy builder, the Operator dropdown menu will display the available options for that selector.

Operator Meaning
is equals the defined value
is not does not equal the defined value
in matches at least one of the defined values
not in does not match any of the defined values
in list in a pre-defined list of values
not in list not in a pre-defined list of values
matches regex regex evaluates to true
does not match regex regex evaluates to false
greater than exceeds the defined number
greater than or equal to exceeds or equals the defined number
less than below the defined number
less than or equal to below or equals the defined number

​​ Value

You can input a single value or use regular expressions to specify a range of values.

Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for Wildcards.

For example, if you want to match multiple domains, you could use the pipe symbol (|) as an OR operator. In Gateway, you do not need to use an escape character (\) before the pipe symbol. The following configuration blocks requests to two hosts if either appears in a request header:

Selector Operator Value Action
Host Matches regex .\*whispersystems.org|.\*signal.org Block

To evaluate if your regex matches, you can use Rustexp.

​​ Logical operators

To evaluate multiple conditions in an expression, select the Add logical operator. These expressions can be compared further with the Or logical operator.

Operator Meaning
And match all of the conditions in the expression
Or match any of the conditions in the expression

The Or operator will only work with conditions in the same expression group. For example, you cannot compare conditions in Traffic with conditions in Identity or Device Posture.

If a condition in an expression joins a request attribute (such as Source IP) and a response attribute (such as a DLP Profile), then the condition will be evaluated when the response is received.