Cloudflare Sensitive Data Detection
The Cloudflare Sensitive Data Detection managed ruleset helps identify data leaks generated by your origin servers. Its rules run on the body of the response looking for patterns of common sensitive data, including:
- Personal identifiable information (PII) — for example, passport numbers
- Financial information — for example, credit card numbers
- Secrets — for example, API keys
Turning on Cloudflare Sensitive Data Detection will not introduce additional latency, since the detection occurs outside the response path. For this reason, rules are always deployed with the Log action (you cannot block a response that was already sent), providing you with visibility on the sensitive data leaving your origin servers.
Some rules in the Cloudflare Sensitive Data Detection managed ruleset are disabled by default, to prevent false positives and a large number of logged events. You should review the PII and sensitive data relevant to your application and turn on the appropriate rules in the managed ruleset, according to the instructions in the following sections.
Additional remarks
When turned on, Cloudflare Sensitive Data Detection will check all responses sent to visitors (according to your custom filter expression, if defined), including responses from cache and responses handled by Workers.
The detection will handle text, HTML, JSON, and XML content in the response up to 1 MB.
Configure in the dashboard
To configure Cloudflare Sensitive Data Detection in the Cloudflare dashboard, go to Security > Sensitive Data.
You can turn the managed ruleset on or off, and configure the following settings:
- Turn on or off specific rules or rules with specific tags.
- Customize the filter expression. With a custom expression, Cloudflare Sensitive Data Detection applies only to a subset of the incoming requests.
For details on configuring a managed ruleset in the dashboard, refer to Configure a managed ruleset.
Configure via API
To enable Cloudflare Sensitive Data Detection for a given zone via API, create a rule with execute
action in the entry point ruleset for the http_response_firewall_managed
phase. For more information on deploying a managed ruleset, refer to Deploy a managed ruleset.
The ruleset ID is the following: ...499d988e
.
To configure Cloudflare Sensitive Data Detection via API, create overrides using the Rulesets API. You can perform the following configurations:
- Turn on or off individual rules by creating rule overrides for those rules.
- Turn on or off all rules with specific tags by creating tag overrides.
For examples of creating overrides using the API, refer to Override a managed ruleset.
Review detected leaks
To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following:
- Regularly check Security Events for any events generated by the managed ruleset.
- Configure WAF alerts to be alerted of any spike of WAF events. For the Advanced Security Events Alert, you can filter by one or more domains on Enterprise plans and by the
Data Loss Protection
service to receive specific alerts about Sensitive Data Detection.