Enable TLS decryption (optional)
TLS decryption ↗ allows Cloudflare Gateway to inspect HTTPS requests to your private network applications.
With TLS decryption turned on, you can apply advanced Gateway policies, such as:
- Filtering based on the complete URL and path of requests
- Scanning for sensitive data with Cloudflare Data Loss Prevention (DLP)
- Starting a remote browser isolation session with Cloudflare Browser Isolation
These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a Do Not Inspect policy or an Untrusted certificate Pass through policy to allow users to connect. To learn more, refer to TLS decryption limitations.
With TLS decryption turned off, Gateway can only inspect and apply HTTP policies to unencrypted HTTP requests. However, you can still apply network policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. For more information, refer to Gateway network policies.
- In Zero Trust ↗, go to Settings > Network.
- In Firewall, turn on TLS decryption.
- 
Add the following permission to your cloudflare_api_token↗:- Zero Trust Write
 
- 
Configure the tls_decryptargument incloudflare_zero_trust_gateway_settings↗:resource "cloudflare_zero_trust_gateway_settings" "team_name" {account_id = var.cloudflare_account_idsettings = {tls_decrypt = {enabled = true}}}
Next, choose a user-side certificate to use for inspection.
When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a certificate on the user device. You can either install the certificate provided by Cloudflare (default option) or upload a custom root certificate to Cloudflare (Enterprise-only option).
Deploying the Cloudflare root certificate is the simplest way to get started with TLS decryption and is usually appropriate for testing or proof of concept conditions.
If you already have a certificate that you use for other inspection or trust purposes, we recommend uploading your own root certificate for the following reasons:
- Using a single certificate streamlines IT management.
- If other services (such as gitworkflows, other CLI tools, or thick client applications) rely on an existing certificate store, presenting the same certificate in inspection is far less likely to interrupt their traffic flow.
- If you are using WARP Connector to connect devices to Cloudflare, those devices will not be able to leverage HTTP policies that require decrypting TLS unless they have a certificate that matches either your uploaded certificate or the Cloudflare root certificate. It is more likely that your network infrastructure already has your own device certificates deployed, so using the existing PKI infrastructure for inspection will reduce the number of steps needed to deploy Zero Trust.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark