Skip to content
Cloudflare Docs

Cloudflare Sensitive Data Detection

The Cloudflare Sensitive Data Detection managed ruleset helps identify data leaks generated by your origin servers. Its rules run on the body of the response looking for patterns of common sensitive data, including:

  • Personal identifiable information (PII) — for example, passport numbers
  • Financial information — for example, credit card numbers
  • Secrets — for example, API keys

Turning on Cloudflare Sensitive Data Detection will not introduce additional latency, since the detection occurs outside the response path. For this reason, rules are always deployed with the Log action (you cannot block a response that was already sent), providing you with visibility on the sensitive data leaving your origin servers.

Some rules in the Cloudflare Sensitive Data Detection managed ruleset are disabled by default, to prevent false positives and a large number of logged events. You should review the PII and sensitive data relevant to your application and turn on the appropriate rules in the managed ruleset, according to the instructions in the following sections.

Additional remarks

When turned on, Cloudflare Sensitive Data Detection will check all responses sent to visitors (according to your custom filter expression, if defined), including responses from cache and responses handled by Workers.

The detection will handle text, HTML, JSON, and XML content in the response up to 1 MB.

Configure in the dashboard

To configure Cloudflare Sensitive Data Detection in the Cloudflare dashboard, go to Security > Sensitive Data.

You can turn the managed ruleset on or off, and configure the following settings:

  • Turn on or off specific rules or rules with specific tags.
  • Customize the filter expression. With a custom expression, Cloudflare Sensitive Data Detection applies only to a subset of the incoming requests.

For details on configuring a managed ruleset in the dashboard, refer to Configure a managed ruleset.

Configure via API

To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with execute action in the entry point ruleset for the http_response_firewall_managed phase.

Example

This example deploys the Cloudflare Sensitive Data Detection managed ruleset to the http_response_firewall_managed phase of a given zone ({zone_id}) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.

  1. Invoke the Get a zone entry point ruleset operation to obtain the definition of the entry point ruleset for the http_response_firewall_managed phase. You will need the zone ID for this task.

    Terminal window
    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_response_firewall_managed/entrypoint" \
    --header "Authorization: Bearer <API_TOKEN>"
    {
      "result": {
        "description": "Zone-level phase entry point (response)",
        "id": "<RULESET_ID>",
        "kind": "zone",
        "last_updated": "2024-03-16T15:40:08.202335Z",
        "name": "zone",
        "phase": "http_response_firewall_managed",
        "rules": [
          // ...
        ],
        "source": "firewall_managed",
        "version": "10"
      },
      "success": true,
      "errors": [],
      "messages": []
    }

  2. If the entry point ruleset already exists (that is, if you received a 200 OK status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create a zone ruleset rule operation to add an execute rule to the existing ruleset deploying the Cloudflare Sensitive Data Detection managed ruleset (with ID e22d83c647c64a3eae91b71b499d988e). By default, the rule will be added at the end of the list of rules already in the ruleset.

    Terminal window
    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules" \
    --header "Authorization: Bearer <API_TOKEN>" \
    --header "Content-Type: application/json" \
    --data '{
      "action": "execute",
      "action_parameters": {
        "id": "e22d83c647c64a3eae91b71b499d988e"
      },
      "expression": "true",
      "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
    }'
    {
      "result": {
        "id": "<RULESET_ID>",
        "name": "Zone-level phase entry point (response)",
        "description": "",
        "kind": "zone",
        "version": "11",
        "rules": [
          // ... any existing rules
          {
            "id": "<RULE_ID>",
            "version": "1",
            "action": "execute",
            "action_parameters": {
              "id": "e22d83c647c64a3eae91b71b499d988e",
              "version": "latest"
            },
            "expression": "true",
            "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset",
            "last_updated": "2024-03-18T18:08:14.003361Z",
            "ref": "<RULE_REF>",
            "enabled": true
          }
        ],
        "last_updated": "2024-03-18T18:08:14.003361Z",
        "phase": "http_response_firewall_managed"
      },
      "success": true,
      "errors": [],
      "messages": []
    }

  3. If the entry point ruleset does not exist (that is, if you received a 404 Not Found status code in step 1), create it using the Create a zone ruleset operation. Include a single rule in the rules array that executes the Cloudflare Sensitive Data Detection managed ruleset (with ID e22d83c647c64a3eae91b71b499d988e) for all incoming requests in the zone.

    Terminal window
    curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \
    --header "Authorization: Bearer <API_TOKEN>" \
    --header "Content-Type: application/json" \
    --data '{
      "name": "My ruleset",
      "description": "Entry point ruleset for WAF managed rulesets (response)",
      "kind": "zone",
      "phase": "http_response_firewall_managed",
      "rules": [
        {
          "action": "execute",
          "action_parameters": {
            "id": "e22d83c647c64a3eae91b71b499d988e"
          },
          "expression": "true",
          "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"
        }
      ]
    }'

Next steps

To configure the Cloudflare Sensitive Data Detection managed ruleset via API, create overrides using the Rulesets API. You can perform the following configurations:

  • Specify the action to perform for all the rules in the ruleset by creating a ruleset override.
  • Disable or customize the action of individual rules by creating rule overrides for those rules.

For examples of creating overrides using the API, refer to Override a managed ruleset.

More resources

For more information on working with managed rulesets via API, refer to Work with managed rulesets in the Ruleset Engine documentation.

Review detected leaks

To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following:

  • Regularly check Security Events for any events generated by the managed ruleset.
  • Configure WAF alerts to be alerted of any spike of WAF events. For the Advanced Security Events Alert, you can filter by one or more domains on Enterprise plans and by the Data Loss Protection service to receive specific alerts about Sensitive Data Detection.
Cloudflare DashboardDiscordCommunityLearning CenterSupport Portal
Cookie Settings