Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Set up HTTP filtering

Secure Web Gateway allows you to inspect HTTP traffic and control which websites users can visit.

​​ 1. Connect to Gateway

To filter HTTP requests from a device:

  1. Install the Cloudflare root certificate on your device .
  2. Install the WARP client on your device.
  3. In the WARP client Settings, log in to your organization’s Zero Trust instance.
  4. Enable the Gateway proxy:
    1. In Zero Trust, navigate to Settings > Network.
    2. Enable Proxy for TCP.
    3. (Optional) Enable Proxy for UDP. All port 443 UDP traffic will be inspected by Gateway.
    4. Enable TLS decryption.

​​ 2. Verify device connectivity

  1. In Zero Trust, navigate to Settings > Network.
  2. Under Gateway logging, enable activity logging for all HTTP logs.
  3. On your WARP-enabled device, open a browser and visit any website.
  4. In Zero Trust, navigate to Logs > Gateway > HTTP. Before building HTTP policies, make sure you see HTTP queries from the email associated with your device.

To create a new HTTP policy, navigate to Gateway > Firewall Policies > HTTP in Zero Trust. We recommend adding the following policies:

​​ Bypass inspection for incompatible applications

Bypass HTTP inspection for applications which use embedded certificates. This will help avoid any certificate pinning errors that may arise from an initial rollout.

SelectorOperatorValueAction
ApplicationinDo Not InspectDo Not Inspect

​​ Block all security categories

Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.

SelectorOperatorValueAction
Security categoriesinAll security risksBlock

​​ 4. Add optional policies

Refer to our list of common HTTP policies for other policies you may want to create.