Cloudflare Sensitive Data Detection
The Cloudflare Sensitive Data Detection managed ruleset helps identify data leaks generated by your origin servers. Its rules run on the body of the response looking for patterns of common sensitive data, including:
- Personally identifiable information ↗ (PII) — For example, passport numbers.
- Financial information — For example, credit card numbers.
- Secrets — For example, API keys.
Turning on Cloudflare Sensitive Data Detection will not introduce additional latency, since the detection occurs outside the response path. For this reason, rules are always deployed with the Log action (you cannot block a response that was already sent), providing you with visibility on the sensitive data leaving your origin servers.
Some rules in the Cloudflare Sensitive Data Detection managed ruleset are disabled by default, to prevent false positives and a large number of logged events. You should review the PII and sensitive data relevant to your application and turn on the appropriate rules in the managed ruleset, according to the instructions in the following sections.
When turned on, Cloudflare Sensitive Data Detection will check all responses sent to visitors (according to your custom filter expression, if defined), including responses from cache and responses handled by Workers.
The detection will handle text, HTML, JSON, and XML content in the response up to 1 MB.
Currently, Cloudflare Sensitive Data Detection does not support matched payload logging.
To configure Cloudflare Sensitive Data Detection in the Cloudflare dashboard, go to Security > Sensitive Data.
You can turn the managed ruleset on or off, and configure the following settings:
- Turn on or off specific rules or rules with specific tags.
- Customize the filter expression. With a custom expression, Cloudflare Sensitive Data Detection applies only to a subset of the incoming requests.
For details on configuring a managed ruleset in the dashboard, refer to Configure a managed ruleset.
To enable Cloudflare Sensitive Data Detection for a given zone using the API, create a rule with execute action in the entry point ruleset for the http_response_firewall_managed phase.
This example deploys the Cloudflare Sensitive Data Detection managed ruleset to the http_response_firewall_managed phase of a given zone ($ZONE_ID) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.
- 
Invoke the Get a zone entry point ruleset operation to obtain the definition of the entry point ruleset for the http_response_firewall_managedphase. You will need the zone ID for this task.
At least one of the following token permissions is required:Required API token permissions - Response Compression Write
- Response Compression Read
- Config Settings Write
- Config Settings Read
- Dynamic URL Redirects Write
- Dynamic URL Redirects Read
- Cache Settings Write
- Cache Settings Read
- Custom Errors Write
- Custom Errors Read
- Origin Write
- Origin Read
- Managed headers Write
- Managed headers Read
- Zone Transform Rules Write
- Zone Transform Rules Read
- Mass URL Redirects Write
- Mass URL Redirects Read
- Magic Firewall Write
- Magic Firewall Read
- L4 DDoS Managed Ruleset Write
- L4 DDoS Managed Ruleset Read
- HTTP DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Read
- Sanitize Write
- Sanitize Read
- Transform Rules Write
- Transform Rules Read
- Select Configuration Write
- Select Configuration Read
- Bot Management Write
- Bot Management Read
- Zone WAF Write
- Zone WAF Read
- Account WAF Write
- Account WAF Read
- Account Rulesets Read
- Account Rulesets Write
- Logs Write
- Logs Read
- Logs Write
- Logs Read
 Get a zone entry point ruleset curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_response_firewall_managed/entrypoint" \--request GET \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"{"result": {"description": "Zone-level phase entry point (response)","id": "<RULESET_ID>","kind": "zone","last_updated": "2024-03-16T15:40:08.202335Z","name": "zone","phase": "http_response_firewall_managed","rules": [// ...],"source": "firewall_managed","version": "10"},"success": true,"errors": [],"messages": []}
- 
If the entry point ruleset already exists (that is, if you received a 200 OKstatus code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the Create a zone ruleset rule operation to add anexecuterule to the existing ruleset deploying the Cloudflare Sensitive Data Detection managed ruleset (with IDe22d83c647c64a3eae91b71b499d988e). By default, the rule will be added at the end of the list of rules already in the ruleset.
At least one of the following token permissions is required:Required API token permissions - Response Compression Write
- Config Settings Write
- Dynamic URL Redirects Write
- Cache Settings Write
- Custom Errors Write
- Origin Write
- Managed headers Write
- Zone Transform Rules Write
- Mass URL Redirects Write
- Magic Firewall Write
- L4 DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Write
- Sanitize Write
- Transform Rules Write
- Select Configuration Write
- Bot Management Write
- Zone WAF Write
- Account WAF Write
- Account Rulesets Write
- Logs Write
- Logs Write
 Create a zone ruleset rule curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules" \--request POST \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"action": "execute","action_parameters": {"id": "e22d83c647c64a3eae91b71b499d988e"},"expression": "true","description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"}'{"result": {"id": "<RULESET_ID>","name": "Zone-level phase entry point (response)","description": "","kind": "zone","version": "11","rules": [// ... any existing rules{"id": "<RULE_ID>","version": "1","action": "execute","action_parameters": {"id": "e22d83c647c64a3eae91b71b499d988e","version": "latest"},"expression": "true","description": "Execute the Cloudflare Sensitive Data Detection managed ruleset","last_updated": "2024-03-18T18:08:14.003361Z","ref": "<RULE_REF>","enabled": true}],"last_updated": "2024-03-18T18:08:14.003361Z","phase": "http_response_firewall_managed"},"success": true,"errors": [],"messages": []}
- 
If the entry point ruleset does not exist (that is, if you received a 404 Not Foundstatus code in step 1), create it using the Create a zone ruleset operation. Include a single rule in therulesarray that executes the Cloudflare Sensitive Data Detection managed ruleset (with IDe22d83c647c64a3eae91b71b499d988e) for all incoming requests in the zone.
At least one of the following token permissions is required:Required API token permissions - Response Compression Write
- Config Settings Write
- Dynamic URL Redirects Write
- Cache Settings Write
- Custom Errors Write
- Origin Write
- Managed headers Write
- Zone Transform Rules Write
- Mass URL Redirects Write
- Magic Firewall Write
- L4 DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Write
- Sanitize Write
- Transform Rules Write
- Select Configuration Write
- Bot Management Write
- Zone WAF Write
- Account WAF Write
- Account Rulesets Write
- Logs Write
- Logs Write
 Create a zone ruleset curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \--request POST \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"name": "My ruleset","description": "Entry point ruleset for WAF managed rulesets (response)","kind": "zone","phase": "http_response_firewall_managed","rules": [{"action": "execute","action_parameters": {"id": "e22d83c647c64a3eae91b71b499d988e"},"expression": "true","description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"}]}'
To configure the Cloudflare Sensitive Data Detection managed ruleset via API, create overrides using the Rulesets API. You can perform the following configurations:
- Specify the action to perform for all the rules in the ruleset by creating a ruleset override.
- Disable or customize the action of individual rules by creating rule overrides for those rules.
For examples of creating overrides using the API, refer to Override a managed ruleset.
For more information on working with managed rulesets via API, refer to Work with managed rulesets in the Ruleset Engine documentation.
To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following:
- Regularly check Security Events for any events generated by the managed ruleset.
- Configure WAF alerts to be alerted of any spike of WAF events. For the Advanced Security Events Alert, you can filter by one or more domains on Enterprise plans and by the Data Loss Protectionservice to receive specific alerts about Sensitive Data Detection.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark