Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Get started with DLP

Data Loss Prevention is enabled through Secure Web Gateway HTTP policies. To perform DLP filtering, first configure a DLP Profile with the data patterns you want to detect, and then build a Gateway HTTP policy to allow or block the sensitive data from leaving your organization. Gateway will parse and scan your HTTP traffic for strings matching the keywords or regular expressions (regexes) specified in the DLP profile.

​​ Prerequisites

Enable Gateway HTTP filtering.

​​ 1. Configure a DLP Profile

Cloudflare DLP provides predefined profiles for common detections, or you can define your own regexes in a custom profile.

To get started with a predefined profile:

  1. In Zero Trust, go to Gateway > DLP Profiles.
  2. Choose a predefined profile and select Configure.
  3. Enable one or more Detection entries according to your preferences. The DLP Profile matches using the OR logical operator — if multiple entries are enabled, your data needs to match only one of the entries.
  4. Select Save profile.

​​ 2. Create a DLP policy

DLP Profiles may be used alongside other Zero Trust rules in a Gateway HTTP policy. To start logging or blocking traffic, create a policy for DLP:

  1. In Zero Trust, go to Gateway > Firewall Policies > HTTP.

  2. Select Create a policy.

  3. Build an HTTP policy using the DLP Profile selector. For example, the following policy prevents users from uploading sensitive data to any location other than an approved corporate application:

    Policy name
    Only allow SSN uploads to Workday
    SelectorOperatorValue
    DLP ProfilesinU.S. Social Security Numbers
    Applicationnot inWorkday
    Action
    Block
  4. Select Create policy.

DLP scanning is now enabled.

​​ 3. Test DLP

You can test your DLP policy on any device connected to your Zero Trust organization. To perform a basic test:

  1. Go to dlptest.com.
  2. Enter a text message or upload a file containing the sensitive data.
  3. Select Submit to send the request.

If the data matches your DLP policy, you will see the request in your DLP logs. If DLP detects a false positive, you can report it to Cloudflare.

Different sites will send requests in different ways. For example, some sites will split a file upload into multiple requests. Therefore, even if the policy works on dlptest.com, it is not guaranteed to work the same way on another site or application. To fine-tune your DLP policy, refer to our configuration tips.