Recommended HTTP policies

We recommend you add the following HTTP policies to build an Internet and SaaS app security strategy for your organization.

All-HTTP-Application-InspectBypass

Bypass HTTP inspection for applications that use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout.

Selector	Operator	Value	Action
Application	in	Do Not Inspect	Do Not Inspect

Android-HTTP-Application-InspectionBypass

Bypass HTTPS inspection for Android applications (such as Google Drive) that use certificate pinning, which is incompatible with Gateway inspection.

Selector	Operator	Value	Logic	Action
Application	in	Google Drive	And	Do Not Inspect
Passed Device Posture Checks	in	OS Version Android (OS version)

All-HTTP-Domain-Inspection-Bypass

Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection.

Selector	Operator	Value	Logic	Action
Domain	in list	DomainInspectionBypass	Or	Do Not Inspect
Domain	in list	Known Domains

All-HTTP-SecurityRisks-Blocklist

Block security categories, such as Command and Control & Botnet and Malware, based on Cloudflare’s threat intelligence.

Selector	Operator	Value	Action
Security Risks	in	All security risks	Block

All-HTTP-ContentCategories-Blocklist

Entries in the security risk content subcategory, such as New Domains, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your Trusted Domains list used in All-HTTP-Domain-Allowlist.

After your test is complete, we recommend you change the action to Block to minimize risk to your organization.

Selector	Operator	Value	Action
Content Categories	in	Questionable Content, Security Risks, Miscellaneous, Adult Themes, Gambling	Allow

All-HTTP-DomainHost-Blocklist

Block specific domains or hosts that are malicious or pose a threat to your organization. Like All-HTTP-ResolvedIP-Blocklist, this blocklist can be updated manually or via API automation.

Selector	Operator	Value	Logic	Action
Domain	in list	Domain Blocklist	Or	Block
Host	in list	Host Blocklist	Or
Host	matches regex	`.*example\.com`

All-HTTP-Application-Blocklist

Block unauthorized applications to limit your users’ access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks popular AI chatbots.

Selector	Operator	Value	Action
Application	in	Microsoft Copilot, ChatGPT, Google Gemini	Block

PrivilegedUsers-HTTP-Any-Isolate

Isolate traffic for privileged users who regularly access critical systems or execute actions such as threat analysis and malware testing.

Security teams often need to perform threat analysis or malware testing that could trigger malware detection. Likewise, privileged users could be the target of attackers trying to gain access to critical systems.

Selector	Operator	Value	Action
User Group Names	in	Privileged Users	Isolate

Quarantined-Users-HTTP-Restricted-Access

Restrict access for users included in an identity provider (IdP) user group for risky users. This policy ensures your security team can restrict traffic for users of whom malicious or suspicious activity was detected.

Selector	Operator	Value	Logic	Action
Destination IP	not in list	Quarantined-Users-IPAllowlist	And	Block
User Group Names	in	Quarantined Users

All-HTTP-Domain-Isolate

Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection. Ideally, your incident response teams can update the blocklist with an API automation to provide real-time threat protection.

Selector	Operator	Value	Logic	Action
Content Categories	in	New Domain, Newly Seen Domains	Or	Isolate
Domain	in list	Domain Isolation

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings