Cloudflare Browser Isolation — Remote Browsing
Cloudflare Browser Isolation runs web content in a remote containerised browser and streams a safe visual rendering to the user, completely isolating the endpoint from web-based threats.
What You Will Learn
You will learn how Browser Isolation works, how to configure isolation policies in Cloudflare Gateway, and how to deploy isolated browsing for high-risk users and untrusted sites.
Why It Matters
Traditional web security relies on detecting threats before they execute. Browser Isolation eliminates the need for detection by ensuring no web code ever reaches the endpoint. Even zero-day exploits in the browser are harmless because they execute in a disposable remote container.
Real-World Use Case
A financial services firm deployed Browser Isolation for all employees accessing external websites. Phishing attempts that bypassed email filters were rendered in isolated browsers, preventing credential theft. The firm saw zero browser-based security incidents in 18 months post-deployment.
Browser Isolation Architecture
The remote browser executes all web code and sends only a pixel-perfect rendering to the user device.
flowchart TD
A[User Device] -->|Request URL| B[Cloudflare Edge]
B --> C{Browser Isolation Policy}
C -->|Isolate| D[Remote Browser Container]
D -->|Execute JavaScript| E[Destination Site]
D -->|Rendering Stream| A
A -.->|No Code Execution| A
C -->|Allow Direct| F[Direct Browsing]
Enabling Browser Isolation
Browser Isolation is configured through Gateway HTTP policies.
# Create an HTTP policy that isolates all traffic
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/http_policies" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Isolate All Traffic",
"description": "Isolates all HTTP traffic in remote browsers",
"rules": [
{
"name": "Isolate All",
"conditions": [
{"field": "http.request.method", "operator": "in", "value": ["GET", "POST"]}
],
"action": "isolate"
}
],
"enabled": true
}' | jq '.result.name, .result.rules[0].action'
Expected output:
"Isolate All Traffic"
"isolate"
Creating Selective Isolation Policies
Isolate only untrusted sites while allowing trusted domains to load directly.
# Create a policy that isolates uncategorised and new domains
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/http_policies" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Isolate Uncategorised Domains",
"description": "Isolates domains not yet categorised by Cloudflare",
"rules": [
{
"name": "Uncategorised Domains",
"conditions": [
{"field": "domain.category", "operator": "is", "value": "uncategorised"}
],
"action": "isolate"
}
],
"enabled": true
}' | jq '.success'
Expected output:
true
Configuring Clipboard and File Controls
Restrict what users can copy or download from isolated browsers.
curl -s -X PATCH "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/isolated_browser_settings" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"clipboard_redirection": "none",
"file_download": "disallow",
"file_upload": "disallow",
"keyboard_redirection": "none"
}' | jq '.result.clipboard_redirection'
Expected output:
"none"
Viewing Isolation Session Logs
Monitor isolation sessions and user activity through Gateway logs.
# Fetch recent isolation session logs
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/http_logs" \
-H "Authorization: Bearer $API_TOKEN" \
--data '{"limit": 3, "filter": {"action": "isolate"}}' | jq '.result[] | {url: .http.request.url, user: .user.email, timestamp: .datetime}'
Expected output:
{
"url": "https://unknown-site.com/page",
"user": "user@company.com",
"timestamp": "2025-06-23T10:00:00Z"
}
{
"url": "https://new-domain.org/resource",
"user": "user@company.com",
"timestamp": "2025-06-23T10:00:05Z"
}
Common Mistakes
| Mistake | Consequence |
|---|---|
| Not enabling HTTP filtering alongside isolation | Isolation policies do not apply without Gateway HTTP configured |
| Using allow action instead of isolate for untrusted domains | Users browse dangerous sites directly without protection |
| Leaving clipboard redirection enabled | Users can copy sensitive data from isolated sites to their clipboard |
| Forgetting to deploy WARP client | Off-network users bypass Browser Isolation entirely |
| Not testing isolation with JavaScript-heavy apps | Some single-page applications may have rendering latency |
Practice Questions
- How does Browser Isolation protect against zero-day browser exploits?
- What is the difference between isolating all traffic versus selective isolation based on domain categorisation?
- Why must Gateway HTTP filtering be enabled before Browser Isolation policies can work?
Challenge
Configure Browser Isolation to isolate all domains categorised as newly seen or uncategorised. Whitelist three trusted domains (your corporate intranet, a CRM, and a document editor) to load directly. Test by visiting a known uncategorised domain and verifying it loads in an isolated browser. Verify clipboard copy is blocked.
Real-World Task
Your organisation deals with sensitive client data and wants to prevent data exfiltration through web browsing. Deploy Browser Isolation for all external websites while allowing direct access to internal applications and trusted SaaS tools. Configure clipboard redirection to disallow copy-paste from isolated sessions. Disable file downloads in isolated browsers. Test the setup by confirming that a known malware test site loads in isolation and that copying text from it is blocked.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro