Common HTTP policies
The following policies are commonly used to secure HTTP traffic.
Refer to the HTTP policies page for a comprehensive list of other selectors, operators, and actions.
Block sites
Block attempts to reach sites by hostname or URL paths. Different approaches may be required based on how a site is organized.
Block sites by hostname
Block all subdomains that use a host.
Selector | Operator | Value | Action |
---|---|---|---|
Host | matches regex | .*example\.com |
Block |
Block sites by URL
Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as reddit.com/r/gaming
, without blocking reddit.com
.
Selector | Operator | Value | Action |
---|---|---|---|
URL | matches regex | /r/gaming |
Block |
Block content categories
Block content categories which go against your organization’s acceptable use policy.
Selector | Operator | Value | Action |
---|---|---|---|
Content categories | in | Adult Themes, Gambling | Block |
Block unauthorized applications
To minimize the risk of shadow IT, some organizations choose to limit their users’ access to certain web-based tools and applications. For example, the following policy blocks AI assistants:
Selector | Operator | Value | Action |
---|---|---|---|
Application | in | ChatGPT , Bard |
Block |
Check user identity
Configure access on a per user or group basis by adding identity-based conditions to your policies.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Application | in | Salesforce | And | Block |
User Group Names | in | Contractors |
Skip inspection for groups of applications
Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The TLS inspection performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy.
Gateway evaluates Do Not Inspect policies first. We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion.
Selector | Operator | Value | Action |
---|---|---|---|
Application | in | Do Not Inspect | Do Not Inspect |
Enforce device posture
Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to the device posture section.
Selector | Operator | Value | Action |
---|---|---|---|
Passed Device Posture Checks | in | Minimum OS version |
Allow |
Enforce session duration
Require users to re-authenticate after a certain amount of time has elapsed.
Isolate high risk sites in remote browser
If you are using the Browser Isolation add-on, refer to our list of common Isolate policies.
Bypass inspection for self-signed certificates
When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption.
Selector | Operator | Value | Action |
---|---|---|---|
Domain | in | internal.site.com |
Do Not Inspect |
Block file types
Block the upload or download of files based on their type.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Upload File Type | in | Microsoft Office Word Document (docx) | And | Block |
Download File Type | in | PDF (pdf) |
Block Google services
To enable Gateway inspection for Google Drive traffic, you must add the Cloudflare certificate to Google Drive.
Block Google Drive uploads
Block file uploads to Google Drive.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Application | in | Google Drive | And | Block |
Upload Mime Type | matches regex | .* |
Block Google Drive downloads
Block file downloads from Google Drive.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Application | in | Google Drive | And | Block |
URL Path & Query | matches regex | .*(e=download|export).* |
Block Gmail downloads
Block file downloads from Gmail.
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Host | is | mail-attachment.googleusercontent.com |
And | Block |
URL Path & Query | is | /attachment/u/0 |