Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Common HTTP policies

The following policies are commonly used to secure HTTP traffic.

Refer to the HTTP policies page for a comprehensive list of other selectors, operators, and actions.

​​ Block sites

Block attempts to reach sites by hostname or URL paths. Different approaches may be required based on how a site is organized.

​​ Block sites by hostname

Block all subdomains that use a host.

Selector Operator Value Action
Host matches regex .*example\.com Block

​​ Block sites by URL

Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as reddit.com/r/gaming, without blocking reddit.com.

Selector Operator Value Action
URL matches regex /r/gaming Block

​​ Block content categories

Block content categories which go against your organization’s acceptable use policy.

Selector Operator Value Action
Content categories in Adult Themes, Gambling Block

​​ Block unauthorized applications

To minimize the risk of shadow IT, some organizations choose to limit their users’ access to certain web-based tools and applications. For example, the following policy blocks AI assistants:

Selector Operator Value Action
Application in ChatGPT, Bard Block

​​ Check user identity

Configure access on a per user or group basis by adding identity-based conditions to your policies.

Selector Operator Value Logic Action
Application in Salesforce And Block
User Group Names in Contractors

​​ Skip inspection for groups of applications

Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The TLS inspection performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy.

Gateway evaluates Do Not Inspect policies first. We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion.

Selector Operator Value Action
Application in Do Not Inspect Do Not Inspect

​​ Enforce device posture

Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to the device posture section.

Selector Operator Value Action
Passed Device Posture Checks in Minimum OS version Allow

​​ Enforce session duration

Require users to re-authenticate after a certain amount of time has elapsed.

​​ Isolate high risk sites in remote browser

If you are using the Browser Isolation add-on, refer to our list of common Isolate policies.

​​ Bypass inspection for self-signed certificates

When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption.

Selector Operator Value Action
Domain in internal.site.com Do Not Inspect

​​ Block file types

Block the upload or download of files based on their type.

Selector Operator Value Logic Action
Upload File Type in Microsoft Office Word Document (docx) And Block
Download File Type in PDF (pdf)

​​ Block Google services

To enable Gateway inspection for Google Drive traffic, you must add the Cloudflare certificate to Google Drive.

​​ Block Google Drive uploads

Block file uploads to Google Drive.

Selector Operator Value Logic Action
Application in Google Drive And Block
Upload Mime Type matches regex .*

​​ Block Google Drive downloads

Block file downloads from Google Drive.

Selector Operator Value Logic Action
Application in Google Drive And Block
URL Path & Query matches regex .*(e=download|export).*

​​ Block Gmail downloads

Block file downloads from Gmail.

Selector Operator Value Logic Action
Host is mail-attachment.googleusercontent.com And Block
URL Path & Query is /attachment/u/0