Skip to content

Data Loss Prevention

Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code.

Data in transit

Data Loss Prevention complements Secure Web Gateway to detect sensitive data transferred in HTTP requests. DLP scans the entire HTTP body, which may include uploaded or downloaded files, chat messages, forms, and other web content. You can also use DLP with Email Security to scan outbound emails.

DLP requires Gateway HTTP filtering with TLS decryption for visibility into data in transit. The depth of visibility varies for each site or application. DLP does not scan any traffic that bypasses Cloudflare Gateway (such as traffic that matches a Do Not Inspect policy).

To get started, refer to Scan HTTP traffic with DLP.

Data at rest

Data Loss Prevention complements Cloudflare CASB to detect sensitive data stored in your SaaS applications. Unlike data in transit scans which read files sent through Cloudflare Gateway, CASB retrieves files directly via the API. Therefore, Gateway and WARP settings (such as Do Not Inspect policies and Split Tunnel configurations) will not affect data at rest scans.

To get started, refer to Scan SaaS applications with DLP.

Supported file types

Formats

DLP supports scanning the following file types:

  • Text and CSV
  • Microsoft Office 2007 and later (.docx, .xlsx, .pptx), including Microsoft 365
  • PDF
  • ZIP files containing the above

Size

The maximum file size is 100 MB. Size limitation is assessed against the file after unzipping. ZIP files can be recursively compressed a maximum of 10 times.