Skip to content

Scan HTTP traffic

You can scan HTTP traffic for sensitive data through Secure Web Gateway policies. To perform DLP filtering, first configure a DLP profile with the data patterns you want to detect, and then build a Gateway HTTP policy to allow or block the sensitive data from leaving your organization. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regular expressions (regexes) specified in the DLP profile.

Prerequisites

1. Configure a DLP profile

Refer to Configure a DLP profile. We recommend getting started with a predefined profile.

2. Create a DLP policy

DLP Profiles may be used alongside other Zero Trust rules in a Gateway HTTP policy. To start logging or blocking traffic, create a policy for DLP:

  1. In Zero Trust, go to Gateway > Firewall policies. Select HTTP.

  2. Select Add a policy.

  3. Build an HTTP policy using the DLP Profile selector. For example, the following policy prevents users from uploading sensitive data to any location other than an approved corporate application:

    SelectorOperatorValueLogicAction
    DLP ProfilesinU.S. Social Security NumbersAndBlock
    Applicationnot inWorkday
  4. Select Create policy.

DLP scanning is now turned on.

3. Test DLP policy

You can test your DLP policy on any device connected to your Zero Trust organization. To perform a basic test:

  1. Go to dlptest.com.
  2. Enter a text message or upload a file containing the sensitive data.
  3. Select Submit to send the request.

The request will be allowed or blocked according to your DLP policies. If the data matches a DLP policy, you will see the request in your DLP logs.

Different sites will send requests in different ways. For example, some sites will split a file upload into multiple requests. Therefore, even if the policy works on dlptest.com, it is not guaranteed to work the same way on another site or application.

4. View DLP logs

  1. In Zero Trust, go to Logs > Gateway > HTTP.
  2. Select Filter.
  3. Choose an item under one of the following filters:
    • DLP Profiles shows the requests which matched a specific DLP profile.
    • Policy shows the requests which matched a specific DLP policy.

You can expand an individual row to view details about the request. To see the data that triggered the DLP policy, configure payload logging.

Report false positives

  1. Select the log you want to report.
  2. Select Report DLP false positive under DLP details.
  3. The information to be sent to Cloudflare will appear. To confirm your report, select Send report.

Cloudflare will not respond directly to your report, but reporting false positives helps us improve our products. If you require technical assistance, reach out to support.