---
title: Cloudflare Sensitive Data Detection
description: Detect sensitive data like credit card numbers in HTTP responses.
image: https://developers.cloudflare.com/core-services-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/waf/llms.txt  
> Use this file to discover all available pages before exploring further.

[Skip to content](#%5Ftop) 

# Cloudflare Sensitive Data Detection

Note

This feature requires an Enterprise plan.

The Cloudflare Sensitive Data Detection managed ruleset helps identify data leaks generated by your origin servers. Its rules run on the body of the response looking for patterns of common sensitive data, including:

* [Personally identifiable information ↗](https://www.cloudflare.com/learning/privacy/what-is-pii/) (PII) — For example, passport numbers.
* Financial information — For example, credit card numbers.
* Secrets — For example, API keys.

Turning on Cloudflare Sensitive Data Detection will not introduce additional latency, since the detection occurs outside the response path. For this reason, rules are always deployed with the _Log_ action (you cannot block a response that was already sent), providing you with visibility on the sensitive data leaving your origin servers.

Note

Some rules in the Cloudflare Sensitive Data Detection managed ruleset are disabled by default, to prevent false positives and a large number of logged events. You should review the PII and sensitive data relevant to your application and turn on the appropriate rules in the managed ruleset, according to the instructions in the following sections.

## Additional remarks

When turned on, Cloudflare Sensitive Data Detection will check all responses sent to visitors (according to your custom filter expression, if defined), including responses from cache and responses handled by [Workers](https://developers.cloudflare.com/workers/).

The detection will handle text, HTML, JSON, and XML content in the response up to 1 MB.

Currently, Cloudflare Sensitive Data Detection does not support [matched payload logging](https://developers.cloudflare.com/waf/managed-rules/payload-logging/).

---

## Deploy the Cloudflare Sensitive Data Detection ruleset

Note

Requires an Enterprise plan.

* [  New dashboard ](#tab-panel-8873)
* [ Old dashboard ](#tab-panel-8874)

1. In the Cloudflare dashboard, go to the Security **Settings** page.  
[ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings)
2. (Optional) Filter by **Web application exploits**.
3. Turn on **Sensitive data detection** to deploy the ruleset.

1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** \> **Sensitive data**.
3. Turn on **Cloudflare Sensitive Data Detection** to deploy the ruleset.

## Configure in the dashboard

You can configure (or override) the Cloudflare Sensitive Data Detection ruleset at several levels:

* [Ruleset level](#ruleset-level-configuration)
* [Tag level](#tag-level-configuration)
* [Rule level](#rule-level-configuration)

More specific configurations (rule and tag level) have greater priority than less specific configurations (ruleset level). Refer to [Override a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) in the Ruleset Engine documentation for more information.

### Ruleset-level configuration

You can configure (or override) the following Cloudflare Sensitive Data Detection setting in the Cloudflare dashboard:

* **Scope**: When you define a custom filter expression for the scope, the Cloudflare Sensitive Data Detection ruleset applies only to a subset of the incoming requests. By default, a managed ruleset deployed in the dashboard applies to all incoming traffic.

Once you have [deployed the Cloudflare Sensitive Data Detection ruleset](#deploy-in-the-dashboard), do the following to configure it in the dashboard:

* [  New dashboard ](#tab-panel-8875)
* [ Old dashboard ](#tab-panel-8876)

1. In the Cloudflare dashboard, go to the Security **Settings** page.  
[ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings)
2. (Optional) Filter by **Web application exploits**.
3. For **Sensitive data detection**, select **Configured ruleset: <SCOPE>** to edit the ruleset scope.  
Decide if you want to apply the managed ruleset to all incoming requests (global scope) or to a subset.
4. If you selected **Custom filter expression**, define the filter expression that will determine which requests the Cloudflare Sensitive Data Detection ruleset will apply to.
5. Select **Next**, and then select **Save**.

1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** \> **Sensitive Data**.
3. Next to **Cloudflare Sensitive Data Detection**, select the three dots > **Edit**.
4. Select **Edit scope** and decide if you want to apply the managed ruleset to all incoming requests or to a subset. If you select **Custom filter expression**, define the filter expression that will determine which requests the Cloudflare Sensitive Data Detection ruleset will apply to.
5. Select **Next**, and then select **Save**.

### Tag-level configuration

You can configure (or override) the following setting in the dashboard for rules tagged with at least one of the selected tags:

* **Rule status**: Sets the rule status for all the rules with the selected tags.

Note

Setting the rule status for specific tags affects all current and future rules with the tags you selected.

Once you have [deployed the Cloudflare Sensitive Data Detection ruleset](#deploy-in-the-dashboard), do the following to configure rules with specific tags in the dashboard:

* [  New dashboard ](#tab-panel-8877)
* [ Old dashboard ](#tab-panel-8878)

1. In the Cloudflare dashboard, go to the Security **Settings** page.  
[ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings)
2. (Optional) Filter by **Web application exploits**.
3. For **Sensitive data detection**, select **Configured ruleset: <SCOPE>**, and then select **Next**.
4. Select **Browse rules**.  
![The Cloudflare dashboard displaying the list of rules in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/rules-config-sdd-ruleset.CggZM4C2_Zu69Mo.webp)
1. Select one or more tags under the search input to filter the rules with those tags, and then select the checkbox in the top left corner of the table to select all the rules shown in the current page.  
If not all the rules are displayed in the current page, extend your selection to all rules with the selected tags across all pages by selecting **Select all <NUMBER> rules**.  
![The Configure deployment page displaying selected rules with the 'encryption' tag in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/tags-config-sdd-ruleset.DQw7m2sB_nJQp2.webp)
2. Update one or more settings for the selected rules using the buttons displayed in the top right corner of the table (for example, **Set status**).
3. Select **Next**.
4. A dialog appears asking you if any new rules with the selected tags should be configured with the field values you selected.  
   * Select **Include new rules** if you want to apply your configurations to any new rules with the select tags.  
   * Select **Only selected rules** to apply your configurations to the selected rules only.
5. Select **Save**.

1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** \> **Sensitive Data**.
3. Next to **Cloudflare Sensitive Data Detection**, select the three dots > **Edit**.
4. Select **Browse rules**.  
![The Cloudflare dashboard displaying the list of rules in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/rules-config-sdd-ruleset.CggZM4C2_Zu69Mo.webp)
1. Select one or more tags under the search input to filter the rules with those tags, and then select the checkbox in the top left corner of the table to select all the rules shown in the current page.  
If not all the rules are displayed in the current page, extend your selection to all rules with the selected tags across all pages by selecting **Select all <NUMBER> rules**.  
![The Configure deployment page displaying selected rules with the 'encryption' tag in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/tags-config-sdd-ruleset.DQw7m2sB_nJQp2.webp)
2. Update one or more settings for the selected rules using the buttons displayed in the top right corner of the table (for example, **Set status**).
3. Select **Next**.
4. A dialog appears asking you if any new rules with the selected tags should be configured with the field values you selected.  
   * Select **Include new rules** if you want to apply your configurations to any new rules with the select tags.  
   * Select **Only selected rules** to apply your configurations to the selected rules only.
5. Select **Save**.

### Rule-level configuration

You can configure (or override) the following setting in the dashboard for the selected rules:

* **Rule status**: Sets the status (enabled or disabled) of a single rule or, if you select multiple rules, for the selected rules.

Once you have [deployed the Cloudflare Sensitive Data Detection ruleset](#deploy-in-the-dashboard), do the following to configure individual ruleset rules in the dashboard:

* [  New dashboard ](#tab-panel-8879)
* [ Old dashboard ](#tab-panel-8880)

1. In the Cloudflare dashboard, go to the Security **Settings** page.  
[ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings)
2. (Optional) Filter by **Web application exploits**.
3. For **Sensitive data detection**, select **Configured ruleset: <SCOPE>**, and then select **Next**.
4. Select **Browse rules**.  
![The Cloudflare dashboard displaying the list of rules in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/rules-config-sdd-ruleset.CggZM4C2_Zu69Mo.webp)
1. Search for rules using the available filters.
2. In the results list, change the values for each rule as desired, using the displayed drop-down lists and toggles. For example, change the status of a rule using the **Status** toggle next to the rule.  
To configure multiple rules with the same value, select the checkboxes for all the rules you want to configure. If not all the rules are displayed in the current page, you can extend your selection to all rules across all pages by selecting **Select all <NUMBER> rules**. Then, use the buttons displayed in the top right corner of the table — for example, **Set status** — to update one or more fields for the selected rules.  
![The Configure deployment page displaying selected rules in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/tags-config-sdd-ruleset.DQw7m2sB_nJQp2.webp)
3. Select **Next**, and then select **Save**.

1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain.
2. Go to **Security** \> **Sensitive Data**.
3. Next to **Cloudflare Sensitive Data Detection**, select the three dots > **Edit**.
4. Select **Browse rules**.  
![The Cloudflare dashboard displaying the list of rules in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/rules-config-sdd-ruleset.CggZM4C2_Zu69Mo.webp)
1. Search for rules using the available filters.
2. In the results list, change the values for each rule as desired, using the displayed drop-down lists and toggles. For example, change the status of a rule using the **Status** toggle next to the rule.  
To configure multiple rules with the same value, select the checkboxes for all the rules you want to configure. If not all the rules are displayed in the current page, you can extend your selection to all rules across all pages by selecting **Select all <NUMBER> rules**. Then, use the buttons displayed in the top right corner of the table — for example, **Set status** — to update one or more fields for the selected rules.  
![The Configure deployment page displaying selected rules in the Sensitive Data Detection ruleset.](https://developers.cloudflare.com/_astro/tags-config-sdd-ruleset.DQw7m2sB_nJQp2.webp)
3. Select **Next**, and then select **Save**.

## Configure via API

To deploy the Cloudflare Sensitive Data Detection ruleset for a given zone using the API, create a rule with `execute` action in the [entry point ruleset](https://developers.cloudflare.com/ruleset-engine/about/rulesets/#entry-point-ruleset) for the `http_response_firewall_managed` phase.

### Example

This example deploys the Cloudflare Sensitive Data Detection ruleset to the `http_response_firewall_managed` phase of a given zone (`$ZONE_ID`) by creating a rule that executes the managed ruleset. The rules in the managed ruleset are executed for all incoming requests.

1. Invoke the [Get a zone entry point ruleset](https://developers.cloudflare.com/api/resources/rulesets/subresources/phases/methods/get/) operation to obtain the definition of the entry point ruleset for the `http_response_firewall_managed` phase. You will need the [zone ID](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/) for this task.  
Get a zone entry point ruleset  
```  
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_response_firewall_managed/entrypoint" \  
  --request GET \  
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"  
```  
```  
{  
  "result": {  
    "description": "Zone-level phase entry point (response)",  
    "id": "<RULESET_ID>",  
    "kind": "zone",  
    "last_updated": "2024-03-16T15:40:08.202335Z",  
    "name": "zone",  
    "phase": "http_response_firewall_managed",  
    "rules": [  
      // ...  
    ],  
    "source": "firewall_managed",  
    "version": "10"  
  },  
  "success": true,  
  "errors": [],  
  "messages": []  
}  
```
2. If the entry point ruleset already exists (that is, if you received a `200 OK` status code and the ruleset definition), take note of the ruleset ID in the response. Then, invoke the [Create a zone ruleset rule](https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/create/) operation to add an `execute` rule to the existing ruleset deploying the Cloudflare Sensitive Data Detection managed ruleset (with ID `e22d83c647c64a3eae91b71b499d988e`). By default, the rule will be added at the end of the list of rules already in the ruleset.  
Create a zone ruleset rule  
```  
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID/rules" \  
  --request POST \  
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  
  --json '{  
    "action": "execute",  
    "action_parameters": {  
        "id": "e22d83c647c64a3eae91b71b499d988e"  
    },  
    "expression": "true",  
    "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"  
  }'  
```  
```  
{  
  "result": {  
    "id": "<RULESET_ID>",  
    "name": "Zone-level phase entry point (response)",  
    "description": "",  
    "kind": "zone",  
    "version": "11",  
    "rules": [  
      // ... any existing rules  
      {  
        "id": "<RULE_ID>",  
        "version": "1",  
        "action": "execute",  
        "action_parameters": {  
          "id": "e22d83c647c64a3eae91b71b499d988e",  
          "version": "latest"  
        },  
        "expression": "true",  
        "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset",  
        "last_updated": "2024-03-18T18:08:14.003361Z",  
        "ref": "<RULE_REF>",  
        "enabled": true  
      }  
    ],  
    "last_updated": "2024-03-18T18:08:14.003361Z",  
    "phase": "http_response_firewall_managed"  
  },  
  "success": true,  
  "errors": [],  
  "messages": []  
}  
```
3. If the entry point ruleset does not exist (that is, if you received a `404 Not Found` status code in step 1), create it using the [Create a zone ruleset](https://developers.cloudflare.com/api/resources/rulesets/methods/create/) operation. Include a single rule in the `rules` array that executes the Cloudflare Sensitive Data Detection managed ruleset (with ID `e22d83c647c64a3eae91b71b499d988e`) for all incoming requests in the zone.  
Create a zone ruleset  
```  
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \  
  --request POST \  
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  
  --json '{  
    "name": "My ruleset",  
    "description": "Entry point ruleset for WAF managed rulesets (response)",  
    "kind": "zone",  
    "phase": "http_response_firewall_managed",  
    "rules": [  
        {  
            "action": "execute",  
            "action_parameters": {  
                "id": "e22d83c647c64a3eae91b71b499d988e"  
            },  
            "expression": "true",  
            "description": "Execute the Cloudflare Sensitive Data Detection managed ruleset"  
        }  
    ]  
  }'  
```

### Next steps

To configure the Cloudflare Sensitive Data Detection managed ruleset via API, create [overrides](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/) using the Rulesets API. You can perform the following configurations:

* Disable individual rules by creating rule overrides.

For examples of creating overrides using the API, refer to [Override a managed ruleset](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/override-managed-ruleset/).

### More resources

For more information on working with managed rulesets via API, refer to [Work with managed rulesets](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/) in the Ruleset Engine documentation.

## Review detected leaks

To check for any data leaks detected by Cloudflare Sensitive Data Detection, you can do the following:

* Regularly check [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) for any events generated by the managed ruleset.
* Configure [WAF alerts](https://developers.cloudflare.com/waf/reference/alerts/) to be alerted of any spike of WAF events. For the Advanced Security Events Alert, you can filter by one or more domains on Enterprise plans and by the `Data Loss Protection` service to receive specific alerts about Sensitive Data Detection.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/waf/","name":"WAF"}},{"@type":"ListItem","position":3,"item":{"@id":"/waf/managed-rules/","name":"Managed Rules"}},{"@type":"ListItem","position":4,"item":{"@id":"/waf/managed-rules/reference/","name":"Rulesets reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/waf/managed-rules/reference/sensitive-data-detection/","name":"Cloudflare Sensitive Data Detection"}}]}
```