Common policies
The following policies are commonly used to secure HTTP traffic.
Refer to the HTTP policies page for a comprehensive list of other selectors, operators, and actions.
Block sites
Section titled “Block sites”Block attempts to reach sites by hostname or URL paths. Different approaches may be required based on how a site is organized.
Block sites by hostname
Section titled “Block sites by hostname”Block all subdomains that use a host.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Host | matches regex | .*example\.com | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Block sites by hostname", "description": "Block all subdomains that use a specific hostname", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.host matches \".*example\\.com\"", "identity": "", "device_posture": ""}'Block sites by URL
Section titled “Block sites by URL”Block a section of a site without blocking the entire site. For example, you can block a specific subreddit, such as reddit.com/r/gaming, without blocking reddit.com.
| Selector | Operator | Value | Action |
|---|---|---|---|
| URL | matches regex | /r/gaming | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Block sites by URL", "description": "Block specific parts of a site without blocking the hostname", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.uri matches \"/r/gaming\"", "identity": "", "device_posture": ""}'Block content categories
Section titled “Block content categories”Block content categories which go against your organization's acceptable use policy.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content Categories | in | Questionable Content, Security Risks, Miscellaneous, Adult Themes, Gambling | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-HTTP-ContentCategories-Blocklist", "description": "Block access to questionable content and potential security risks", "precedence": 40, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})", "identity": "", "device_posture": ""}'resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { account_id = var.cloudflare_account_id name = "All-HTTP-ContentCategories-Blocklist" description = "Block access to questionable content and potential security risks" precedence = 40 enabled = true action = "block" filters = ["dns"] traffic = "any(http.request.uri.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161 2 67 125 133 99})"" identity = "" device_posture = ""}Block unauthorized applications
Section titled “Block unauthorized applications”To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Artificial Intelligence | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-HTTP-Application-Blocklist", "description": "Limit access to shadow IT by blocking web-based tools and applications", "precedence": 60, "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {25})", "identity": "", "device_posture": ""}'resource "cloudflare_zero_trust_gateway_policy" "all_http_application_blocklist" { account_id = var.cloudflare_account_id name = "All-HTTP-Application-Blocklist" description = "Limit access to shadow IT by blocking web-based tools and applications" precedence = 60 enabled = true action = "block" filters = ["http"] traffic = "any(app.type.ids[*] in {25})" identity = "" device_posture = ""}Check user identity
Section titled “Check user identity”Configure access on a per user or group basis by adding identity-based conditions to your policies.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Application | in | Salesforce | And | Block |
| User Group Names | in | Contractors |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Check user identity", "description": "Block access to Salesforce by temporary employees and contractors", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})", "device_posture": ""}'Skip inspection for groups of applications
Section titled “Skip inspection for groups of applications”Certain client applications, such as Zoom or Apple services, rely on certificate pinning. The TLS decryption performed by Cloudflare Gateway will cause errors when users visit those applications. To avoid this behavior, you must add a Do Not Inspect HTTP policy.
Gateway evaluates Do Not Inspect policies first. We recommend moving your Do Not Inspect policies to the top of the list to reduce confusion.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Do Not Inspect | Do Not Inspect |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Bypass incompatible applications", "description": "Skip TLS decryption for applications that are incompatible with Gateway", "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(app.type.ids[*] in {16})", "identity": "", "device_posture": ""}'Check device posture
Section titled “Check device posture”Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to Enforce device posture.
Enforce a minimum OS version
Section titled “Enforce a minimum OS version”Perform an OS version check to ensure users are running at least a minimum version.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Passed Device Posture Checks | in | Minimum OS version | Allow |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Require OS version", "description": "Perform an OS version check for minimum version", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "", "identity": "", "device_posture": "any(device_posture.checks.passed[*] in {\"<POSTURE_CHECK_UUID>\"})"}'To get the UUIDs of your device posture checks, use the List device posture rules endpoint.
Check for a specific file
Section titled “Check for a specific file”Perform a file check to ensure users have a certain file on their device.
Since the file path will be different for each operating system, you can configure a file check for each system and use the Or logical operator to only require one of the checks to pass.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Passed Device Posture Checks | in | macOS File Check | Or | Allow |
| Passed Device Posture Checks | in | Linux File Check |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Check for specific file", "description": "Ensure users have a specific file on their device regardless of operating system", "enabled": true, "action": "allow", "filters": [ "http" ], "traffic": "", "identity": "", "device_posture": "any(device_posture.checks.passed[*] in {\"<POSTURE_CHECK_1_UUID>\"}) or any(device_posture.checks.passed[*] in {\"<POSTURE_CHECK_2_UUID>\"})"}'To get the UUIDs of your device posture checks, use the List device posture rules endpoint.
Enforce session duration
Section titled “Enforce session duration”Require users to re-authenticate after a certain amount of time has elapsed.
Isolate high risk sites in remote browser
Section titled “Isolate high risk sites in remote browser”If you are using the Browser Isolation add-on, refer to our list of common Isolate policies.
Bypass inspection for self-signed certificates
Section titled “Bypass inspection for self-signed certificates”When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Domain | in | internal.example.com | Do Not Inspect |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Bypass internal site inspection", "description": "Bypass TLS decryption for internal sites with self-signed certificates", "enabled": true, "action": "off", "filters": [ "http" ], "traffic": "any(http.conn.domains[*] in {\"internal.example.com\"})", "identity": "", "device_posture": ""}'Block file types
Section titled “Block file types”Block the upload or download of files based on their type.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Upload File Types | in | Microsoft Office Word Document (docx) | And | Block |
| Download File Types | in | PDF (pdf) |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Block file types", "description": "Block the upload or download of files based on their type", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(http.upload.file.types[*] in {\"docx\"}) and any(http.download.file.types[*] in {\"pdf\"})", "identity": "", "device_posture": ""}'For more information on supported file types, refer to Download and Upload File Types.
Block Google services
Section titled “Block Google services”To enable Gateway inspection for Google Drive traffic, you must add a Cloudflare certificate to Google Drive.
Block Google Drive downloads
Section titled “Block Google Drive downloads”Block file downloads from Google Drive.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Application | in | Google Drive | And | Block |
| URL Path & Query | matches regex | .*(e=download|export).* |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Block Google Drive downloads", "description": "Block file downloads from Google Drive", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[*] in {554}) and http.request.uri.path_and_query matches \".*(e=download\\|export).*\"", "identity": "", "device_posture": ""}'Block Google Drive uploads
Section titled “Block Google Drive uploads”Block file uploads from Google Drive.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Application | in | Google Drive | And | Block |
| Upload Mime Type | matches regex | .* | And | |
| Host | is not | drivefrontend-pa.clients6.google.com |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Block Google Drive uploads", "description": "Block file uploads to Google Drive", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "any(app.ids[*] in {554}) and http.upload.mime matches \".*\" and not(http.request.host == \"drivefrontend-pa.clients6.google.com\")", "identity": "", "device_posture": ""}'Block Gmail downloads
Section titled “Block Gmail downloads”Block file downloads from Gmail.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Host | is | mail-attachment.googleusercontent.com | And | Block |
| URL Path & Query | is | /attachment/u/0 |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Block Gmail downloads", "description": "Block file downloads from Gmail", "enabled": true, "action": "block", "filters": [ "http" ], "traffic": "http.request.host == \"mail-attachment.googleusercontent.com\" and http.request.uri.path_and_query matches \"/attachment/u/0\"", "identity": "", "device_posture": ""}'Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark