Recommended HTTP policies
3 min read
We recommend you add the following HTTP policies to build an Internet and SaaS app security strategy for your organization. Bypass HTTP inspection for applications that use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout. Bypass HTTPS inspection for Android applications (such as Google Drive) that use certificate pinning, which is incompatible with Gateway inspection. Bypass HTTP inspection for a custom list of domains identified as incompatible with TLS inspection. Block security categories, such as Command and Control & Botnet and Malware, based on Cloudflare’s threat intelligence. Entries in the security risk content subcategory, such as New Domains, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your Trusted Domains list used in All-HTTP-Domain-Allowlist. After your test is complete, we recommend you change the action to Block to minimize risk to your organization. Block specific domains or hosts that are malicious or pose a threat to your organization. Like All-HTTP-ResolvedIP-Blocklist, this blocklist can be updated manually or via API automation. Block unauthorized applications to limit your users’ access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks popular AI chatbots. Isolate traffic for privileged users who regularly access critical systems or execute actions such as threat analysis and malware testing. Security teams often need to perform threat analysis or malware testing that could trigger malware detection. Likewise, privileged users could be the target of attackers trying to gain access to critical systems. Restrict access for users included in an identity provider (IdP) user group for risky users. This policy ensures your security team can restrict traffic for users of whom malicious or suspicious activity was detected. Isolate high risk domains or create a custom list of known risky domains to avoid data exfiltration or malware infection. Ideally, your incident response teams can update the blocklist with an API automation to provide real-time threat protection.All-HTTP-Application-InspectBypass
Selector Operator Value Action Application in Do Not Inspect Do Not Inspect Android-HTTP-Application-InspectionBypass
Selector Operator Value Logic Action Application in Google Drive And Do Not Inspect Passed Device Posture Checks in OS Version Android (OS version) All-HTTP-Domain-Inspection-Bypass
Selector Operator Value Logic Action Domain in list DomainInspectionBypass Or Do Not Inspect Domain in list Known Domains All-HTTP-SecurityRisks-Blocklist
Selector Operator Value Action Security Risks in All security risks Block All-HTTP-ContentCategories-Blocklist
Selector Operator Value Action Content Categories in Questionable Content, Security Risks, Miscellaneous, Adult Themes, Gambling Allow All-HTTP-DomainHost-Blocklist
Selector Operator Value Logic Action Domain in list Domain Blocklist Or Block Host in list Host Blocklist Or Host matches regex .*example\.comAll-HTTP-Application-Blocklist
Selector Operator Value Action Application in Microsoft Copilot, ChatGPT, Google Gemini Block PrivilegedUsers-HTTP-Any-Isolate
Selector Operator Value Action User Group Names in Privileged Users Isolate Quarantined-Users-HTTP-Restricted-Access
Selector Operator Value Logic Action Destination IP not in list Quarantined-Users-IPAllowlist And Block User Group Names in Quarantined Users All-HTTP-Domain-Isolate
Selector Operator Value Logic Action Content Categories in New Domain, Newly Seen Domains Or Isolate Domain in list Domain Isolation