Common HTTP policies
The following policies are commonly used to secure HTTP traffic.
Block content categories
Block content categories which go against your organization’s acceptable use policy.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content categories | in | Adult Themes, Gambling | Block |
Block applications
Block content categories which go against your organization’s acceptable use policy.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Netflix | Block |
Check user identity
Configure access on a per user or group basis by adding identity-based conditions to your policies.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Salesforce | Block |
| User Group Names | in | Contractors |
Enforce device posture
Require devices to have certain software installed or other configuration attributes. For instructions on setting up a device posture check, refer to the device posture section .
| Selector | Operator | Value | Action |
|---|---|---|---|
| Passed Device Posture Checks | in | Minimum OS version | Allow |
Enforce session duration
Require users to re-authenticate after a certain amount of time has elapsed.
Isolate high risk sites in remote browser
Feature availability
Remote Browser Isolation is available as an add-on to Zero Trust Standard and Enterprise plans. See our payment plans for more information.
Isolate security risks
Isolate high risk content categories such as newly registered domains.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content categories | in | Security Risks | Isolate |
Isolate news and media
Isolate News and Media sites, which are targets for Malvertising attacks:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content categories | in | News and Media | Isolate |
Isolate unknown content
Isolate content that has not been categorized by Cloudflare Radar:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content categories | not in | All content categories | Isolate |
Bypass inspection for self-signed certificates
When accessing origin servers with certificates not signed by a public certificate authority, you must bypass TLS decryption.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Domain | in | internal.site.com | Do Not Inspect |
Refer to the HTTP policies page for a comprehensive list of other selectors, operators, and actions.