Cloudflare Demo Shop

Browser Isolation

Render risky web pages on Cloudflare's network, not on the user's device. The browser receives only safe draw commands — malware, drive-by downloads, and zero-days can't reach the endpoint.

How do you let users browse anywhere without exposing endpoints to risk?

The browser is the new operating system, and it's where most attacks land — drive-by malware, zero-day exploits, credential theft on lookalike sites, and data exfiltration through file uploads and copy/paste. Blocking the open internet is bad for productivity. Allowing it is a constant source of incidents and IR work.

How it fits together

Diagram coming soon

Architecture diagram for this solution will be added here.

How Cloudflare solves it

Common questions

Will this make browsing feel laggy?
Cloudflare uses NVR (network vector rendering) instead of pushing pixel streams, so the bandwidth and latency overhead are minimal. Most users can't tell the difference between an isolated session and a normal browser.
What if I just want to isolate one specific site, like a webmail product?
Yes — you can isolate by hostname, URL pattern, category, or risk score. You can even publish a 'clientless' isolated link that opens a specific app in isolation for unmanaged or BYOD devices.
Can I use this to safely interact with AI tools?
Yes. Isolation can disable file uploads, paste, and keyboard typing on sites like ChatGPT, Claude, or other generative AI tools — letting users read responses while preventing them from pasting sensitive data into the prompt.
How does this differ from a VDI?
VDI runs an entire desktop in the cloud (expensive, complex, and slow). Browser Isolation runs just the browser tab in the cloud — invisible to the user, cheap, and integrated with the rest of Cloudflare Zero Trust.

Try it live

If your device is enrolled in Cloudflare WARP with a Browser Isolation Gateway policy applied, opening the link below will render blog.cloudflare.com in an isolated browser session rather than locally. Watch the browser address bar — you'll see a Cloudflare-issued isolated session URL.

Try it live on a configured target

Click below to visit a target site. If your device is enrolled in Cloudflare Gateway with a Browser Isolation policy applied, the request will be handled by Cloudflare automatically.

Open https://blog.cloudflare.com ↗

Note: behavior depends on your device's Cloudflare Gateway configuration.

Docs & blogs

← Back to all solutions