Cloudflare Docs
Learning Paths
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Isolate Access applications

  3 min read

Cloudflare Browser Isolation integrates with your web-delivered Access applications to protect sensitive applications from data loss. You can build Access policies that require certain users to access your application exclusively through Browser Isolation, while other users matching different policies continue to access the application directly. For example, you may wish to layer on additional security measures for third-party contractors or other users without a corporate device.

Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply Gateway HTTP policies such as:

  • Restrict specific actions and HTTP request methods.
  • Inspect the request body to match against Data Loss Prevention (DLP) profiles with as much specificity and control as if the user had deployed an endpoint agent.
  • Control users ability to cut and paste, upload and download files, or print while in an isolated session.

​​ Prerequisites

Your browser must allow third-party cookies on the application domain.

​​ Enable Browser Isolation

  1. In Zero Trust, go to Settings > Browser Isolation.
  2. Enable Clientless Web Isolation.
  1. Next, go to Access > Applications.
  2. Choose a self-hosted application and select Configure.
  3. Choose an Allow policy and select Configure.
  4. Under Additional settings, turn on Isolate application.
  5. Save the policy.

Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to Check if a web page is isolated.

You can optionally add another Allow policy for users on managed devices who do not require isolation.

​​ Example Access policies

In the following example, Policy 1 allows employees on corporate devices to access the application directly. Users who do not match Policy 1, such as employees and contractors on unmanaged devices, will load the application in an isolated browser.

Policy 1: Allow employees who pass device posture checks

ActionRule typeSelectorValue
AllowIncludeEmails ending in@team.com
RequireDevice Posture - Serial Number ListCorporate serial numbers
Additional settingsStatus
Isolate applicationDisabled
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{
"decision": "allow",
"name": "Allow employees who pass device posture checks",
"include": [
{
"email_domain": {
"domain": "team.com"
}
}
],
"exclude": [],
"require": [
{
"device_posture": {
"integration_uid": "<SERIAL_NUMBER_LIST_UUID>"
}
}
],
"precedence": 1
}'

To create a list of serial numbers, refer to Create Zero Trust list.

Policy 2: Allow and isolate contractors

ActionRule typeSelectorValue
AllowIncludeEmails ending in@team.com, @contractors.com
Additional settingsStatus
Isolate applicationEnabled
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_uuid}/policies \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{
"decision": "allow",
"name": "Allow and isolate contractors",
"include": [
{
"email_domain": {
"domain": "team.com"
}
},
{
"email_domain": {
"domain": "contractors.com"
}
}
],
"exclude": [],
"require": [],
"precedence": 2,
"isolation_required": true
}'

​​ Example HTTP policies

​​ Disable file downloads in isolated browser

Prevents users on unmanaged devices from downloading any files from your private application.

SelectorOperatorValueLogicAction
Hostininternal.site.comAndIsolate
Passed Device Posture Checksnot inCorporate serial numbers
Policy settingsStatus
Disable file downloadsEnabled
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{
--data '{
"name": "Disable file downloads in isolated browser",
"conditions": [
{
"type": "traffic",
"expression": {
"in": {
"lhs": "http.request.host",
"rhs": [
"internal.site.com"
]
}
}
},
{
"type": "device_posture",
"expression": {
"any": {
"in": {
"lhs": {
"splat": "device_posture.checks.passed"
},
"rhs": [
"<SERIAL_NUMBER_LIST_UUID>"
]
}
}
}
}
],
"action": "isolate",
"precedence": 14002,
"enabled": true,
"description": "",
"rule_settings": {
"block_page_enabled": false,
"block_reason": "",
"biso_admin_controls": {
"dcp": false,
"dcr": false,
"dd": true,
"dk": false,
"dp": false,
"du": false
}
},
"filters": [
"http"
]
}'

To create a list of serial numbers, refer to Create Zero Trust list.

​​ Block file downloads of sensitive data

Block users on unmanaged devices from downloading files that contain credit card numbers. This logic requires two policies:

SelectorOperatorValueLogicAction
Hostininternal.site.comAndBlock
DLP ProfileinFinancial InformationAnd
Passed Device Posture Checksnot inCorporate serial numbers
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{
"name": "Block credit card numbers",
"conditions": [
{
"type": "traffic",
"expression": {
"and": [
{
"in": {
"lhs": "http.request.host",
"rhs": [
"internal.site.com"
]
}
},
{
"any": {
"in": {
"lhs": {
"splat": "dlp.profiles"
},
"rhs": [
"<DLP_PROFILE_UUID>"
]
}
}
}
]
}
},
{
"type": "device_posture",
"expression": {
"any": {
"in": {
"lhs": {
"splat": "device_posture.checks.passed"
},
"rhs": [
"<SERIAL_NUMBER_LIST_UUID>"
]
}
}
}
}
],
"action": "block",
"precedence": 14003,
"enabled": true,
"description": "",
"rule_settings": {
"block_page_enabled": false,
"block_reason": "",
"biso_admin_controls": null
},
"filters": [
"http"
]
}'

To configure a DLP profile, refer to Update predefined profile or Create custom profile.