Skip to content

Cloudflare Browser Isolation — Remote Browsing

DodaTech 4 min read

Cloudflare Browser Isolation runs web content in a remote containerised browser and streams a safe visual rendering to the user, completely isolating the endpoint from web-based threats.

What You Will Learn

You will learn how Browser Isolation works, how to configure isolation policies in Cloudflare Gateway, and how to deploy isolated browsing for high-risk users and untrusted sites.

Why It Matters

Traditional web security relies on detecting threats before they execute. Browser Isolation eliminates the need for detection by ensuring no web code ever reaches the endpoint. Even zero-day exploits in the browser are harmless because they execute in a disposable remote container.

Real-World Use Case

A financial services firm deployed Browser Isolation for all employees accessing external websites. Phishing attempts that bypassed email filters were rendered in isolated browsers, preventing credential theft. The firm saw zero browser-based security incidents in 18 months post-deployment.

Browser Isolation Architecture

The remote browser executes all web code and sends only a pixel-perfect rendering to the user device.

flowchart TD
    A[User Device] -->|Request URL| B[Cloudflare Edge]
    B --> C{Browser Isolation Policy}
    C -->|Isolate| D[Remote Browser Container]
    D -->|Execute JavaScript| E[Destination Site]
    D -->|Rendering Stream| A
    A -.->|No Code Execution| A
    C -->|Allow Direct| F[Direct Browsing]

Enabling Browser Isolation

Browser Isolation is configured through Gateway HTTP policies.

# Create an HTTP policy that isolates all traffic
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/http_policies" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Isolate All Traffic",
    "description": "Isolates all HTTP traffic in remote browsers",
    "rules": [
      {
        "name": "Isolate All",
        "conditions": [
          {"field": "http.request.method", "operator": "in", "value": ["GET", "POST"]}
        ],
        "action": "isolate"
      }
    ],
    "enabled": true
  }' | jq '.result.name, .result.rules[0].action'

Expected output:

"Isolate All Traffic"
"isolate"

Creating Selective Isolation Policies

Isolate only untrusted sites while allowing trusted domains to load directly.

# Create a policy that isolates uncategorised and new domains
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/http_policies" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Isolate Uncategorised Domains",
    "description": "Isolates domains not yet categorised by Cloudflare",
    "rules": [
      {
        "name": "Uncategorised Domains",
        "conditions": [
          {"field": "domain.category", "operator": "is", "value": "uncategorised"}
        ],
        "action": "isolate"
      }
    ],
    "enabled": true
  }' | jq '.success'

Expected output:

true

Configuring Clipboard and File Controls

Restrict what users can copy or download from isolated browsers.

curl -s -X PATCH "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/isolated_browser_settings" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "clipboard_redirection": "none",
    "file_download": "disallow",
    "file_upload": "disallow",
    "keyboard_redirection": "none"
  }' | jq '.result.clipboard_redirection'

Expected output:

"none"

Viewing Isolation Session Logs

Monitor isolation sessions and user activity through Gateway logs.

# Fetch recent isolation session logs
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/http_logs" \
  -H "Authorization: Bearer $API_TOKEN" \
  --data '{"limit": 3, "filter": {"action": "isolate"}}' | jq '.result[] | {url: .http.request.url, user: .user.email, timestamp: .datetime}'

Expected output:

{
  "url": "https://unknown-site.com/page",
  "user": "user@company.com",
  "timestamp": "2025-06-23T10:00:00Z"
}
{
  "url": "https://new-domain.org/resource",
  "user": "user@company.com",
  "timestamp": "2025-06-23T10:00:05Z"
}

Common Mistakes

Mistake Consequence
Not enabling HTTP filtering alongside isolation Isolation policies do not apply without Gateway HTTP configured
Using allow action instead of isolate for untrusted domains Users browse dangerous sites directly without protection
Leaving clipboard redirection enabled Users can copy sensitive data from isolated sites to their clipboard
Forgetting to deploy WARP client Off-network users bypass Browser Isolation entirely
Not testing isolation with JavaScript-heavy apps Some single-page applications may have rendering latency

Practice Questions

  1. How does Browser Isolation protect against zero-day browser exploits?
  2. What is the difference between isolating all traffic versus selective isolation based on domain categorisation?
  3. Why must Gateway HTTP filtering be enabled before Browser Isolation policies can work?

Challenge

Configure Browser Isolation to isolate all domains categorised as newly seen or uncategorised. Whitelist three trusted domains (your corporate intranet, a CRM, and a document editor) to load directly. Test by visiting a known uncategorised domain and verifying it loads in an isolated browser. Verify clipboard copy is blocked.

Real-World Task

Your organisation deals with sensitive client data and wants to prevent data exfiltration through web browsing. Deploy Browser Isolation for all external websites while allowing direct access to internal applications and trusted SaaS tools. Configure clipboard redirection to disallow copy-paste from isolated sessions. Disable file downloads in isolated browsers. Test the setup by confirming that a known malware test site loads in isolation and that copying text from it is blocked.

FAQ

Does Browser Isolation work with single-page applications like Gmail or Office 365?

Yes. Browser Isolation supports modern web applications including single-page apps, streaming video, and real-time collaboration tools. The remote browser executes all JavaScript and the rendering is streamed to the user. Some latency-sensitive interactions like dragging and dropping may feel slightly different, but core functionality works without modification.

What happens to user sessions and cookies in an isolated browser?

Each isolated browsing session creates a fresh remote browser container. Session data and cookies exist only within that container and are destroyed when the session ends. This means users must re-authenticate for each isolation session, which provides additional security by preventing Session Hijacking across sessions.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro