Set up Data Loss Prevention (DLP)

Add Data Loss Prevention (DLP) to any AI Gateway to start scanning AI prompts and responses for sensitive data.

Prerequisites

• An existing AI Gateway

Enable DLP for AI Gateway

1. Log into the Cloudflare dashboard ↗ and select your account.
2. Go to AI > AI Gateway.
3. Select a gateway where you want to enable DLP.
4. Go to the Firewall tab.
5. Toggle Data Loss Prevention (DLP) to On.

Add DLP policies

After enabling DLP, you can create policies to define how sensitive data should be handled:

1. Under the DLP section, click Add Policy.

2. Configure the following fields for each policy:

   • Policy ID: Enter a unique name for this policy (e.g., "Block-PII-Requests")

   • DLP Profiles: Select the DLP profiles to check against. AI requests/responses will be checked against each of the selected profiles. Available profiles include:

     • Financial Information - Credit cards, bank accounts, routing numbers
     • Personal Identifiable Information (PII) - Names, addresses, phone numbers
     • Government Identifiers - SSNs, passport numbers, driver's licenses
     • Healthcare Information - Medical record numbers, patient data
     • Custom Profiles - Organization-specific data patterns

     Note

     DLP profiles can be created and managed in the Zero Trust DLP dashboard.

   • Action: Choose the action to take when any of the selected profiles match:

     • Flag - Record the detection for audit purposes without blocking
     • Block - Prevent the request/response from proceeding

   • Check: Select what to scan:

     • Request - Scan user prompts sent to AI providers
     • Response - Scan AI model responses before returning to users
     • Both - Scan both requests and responses

3. Click Save to save your policy configuration.

Manage DLP policies

You can create multiple DLP policies with different configurations:

• Add multiple policies: Click Add Policy to create additional policies with different profile combinations or actions
• Enable/disable policies: Use the toggle next to each policy to individually enable or disable them without deleting the configuration
• Edit policies: Click on any existing policy to modify its settings
• Save changes: Always click Save after making any changes to apply them

Test your configuration

After configuring DLP settings:

1. Make a test AI request through your gateway that contains sample sensitive data.
2. Check the AI Gateway Logs to verify DLP scanning is working.
3. Review the detection results and adjust profiles or actions as needed.

Monitor DLP events

Viewing DLP logs in AI Gateway

DLP events are integrated into your AI Gateway logs. When a DLP policy matches, the log entry includes details about the match alongside standard log fields like provider, model, tokens, and cost.

1. Go to AI > AI Gateway > your gateway > Logs.
2. Select any log entry to view detailed information. For requests where DLP policies were triggered, the log entry includes additional DLP fields:

Field	Description
DLP Action	The action taken by the DLP policy: FLAG or BLOCK
DLP Policies Matched	The IDs of the DLP policies that matched
DLP Profiles Matched	The IDs of the DLP profiles that triggered within each matched policy
DLP Entries Matched	The specific detection entry IDs that matched within each profile
DLP Check	Whether the match occurred in the REQUEST, RESPONSE, or both

DLP fields in the Logs API

When you retrieve logs through the Logs API, log entries for requests where DLP policies matched include DLP-specific fields in the response. These fields contain the same match data surfaced in the dashboard and in the cf-aig-dlp response header, including the action taken, matched policy IDs, matched profile IDs, and entry IDs.

For more information on log fields, refer to the Logging documentation.

Filter DLP events

To view only DLP-related requests:

1. On the Logs tab, select Add Filter.
2. Select DLP Action from the filter options.
3. Choose to filter by:
   • FLAG - Show only requests where sensitive data was flagged
   • BLOCK - Show only requests that were blocked due to DLP policies

Error handling

When DLP policies are triggered, your application will receive additional information through response headers and error codes.

DLP response header

When a request matches DLP policies (whether flagged or blocked), an additional cf-aig-dlp header is returned containing detailed information about the match:

Header schema

{
  "findings": [
    {
      "profile": {
        "context": {},
        "entry_ids": ["string"],
        "profile_id": "string"
      },
      "policy_ids": ["string"],
      "check": "REQUEST" | "RESPONSE"
    }
  ],
  "action": "BLOCK" | "FLAG"
}

Example header value

{
  "findings": [
    {
      "profile": {
        "context": {},
        "entry_ids": [
          "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
          "f7e8d9c0-b1a2-3456-789a-bcdef0123456"
        ],
        "profile_id": "12345678-90ab-cdef-1234-567890abcdef"
      },
      "policy_ids": ["block_financial_data"],
      "check": "REQUEST"
    }
  ],
  "action": "BLOCK"
}

Use this header to programmatically detect which DLP profiles and entries were matched, which policies triggered, and whether the match occurred in the request or response.

Error codes for blocked requests

When DLP blocks a request, your application will receive structured error responses:

• Request blocked by DLP

  • "code": 2029
  • "message": "Request content blocked due to DLP policy violations"

• Response blocked by DLP

  • "code": 2030
  • "message": "Response content blocked due to DLP policy violations"

Handle these errors in your application:

JavaScript

try {
  const res = await env.AI.run('@cf/meta/llama-3.1-8b-instruct', {
    prompt: userInput
  }, {
    gateway: {id: 'your-gateway-id'}
  })
  return Response.json(res)
} catch (e) {
  if ((e as Error).message.includes('2029')) {
    return new Response('Request contains sensitive data and cannot be processed.')
  }
  if ((e as Error).message.includes('2030')) {
    return new Response('AI response was blocked due to sensitive content.')
  }
  return new Response('AI request failed')
}

Best practices

• Start with flagging: Begin with "Flag" actions to understand what data is being detected before implementing blocking
• Tune confidence levels: Adjust detection sensitivity based on your false positive tolerance
• Use appropriate profiles: Select DLP profiles that match your data protection requirements
• Monitor regularly: Review DLP events to ensure policies are working as expected
• Test thoroughly: Validate DLP behavior with sample sensitive data before production deployment

Troubleshooting

DLP not triggering

• Verify DLP toggle is enabled for your gateway
• Ensure selected DLP profiles are appropriate for your test data
• Confirm confidence levels aren't set too high

Unexpected blocking

• Review DLP logs to see which profiles triggered
• Consider lowering confidence levels for problematic profiles
• Test with different sample data to understand detection patterns
• Adjust profile selections if needed

For additional support with DLP configuration, refer to the Cloudflare Data Loss Prevention documentation or contact your Cloudflare support team.