How do you let users browse anywhere without exposing endpoints to risk?
The browser is the new operating system, and it's where most attacks land — drive-by malware, zero-day exploits, credential theft on lookalike sites, and data exfiltration through file uploads and copy/paste. Blocking the open internet is bad for productivity. Allowing it is a constant source of incidents and IR work.
How it fits together
Diagram coming soon
Architecture diagram for this solution will be added here.
How Cloudflare solves it
- Remote rendering on Cloudflare's network. When a user opens an isolated session, Chromium runs on Cloudflare's edge. The local browser receives only the rendered output (network vector rendering), not the raw page. Any malicious code executes in a disposable container, never on the user's machine.
- No native client required. Works in any modern browser (Chrome, Edge, Firefox, Safari) — no plugin or VDI agent. Users don't need to know they're isolated.
- Granular data controls. Disable copy/paste, downloads, uploads, printing, or keyboard input per session. Useful for SaaS apps containing sensitive data, AI chatbots that shouldn't receive PII, or generally untrusted destinations.
- Isolate by policy, not all-or-nothing. Use Gateway policies to isolate only the risky stuff — newly-registered domains, security feeds, unsanctioned AI sites, or unknown categories — while letting safe traffic flow directly. Users get a normal experience for 99% of sites and seamless protection for the 1%.
Common questions
Will this make browsing feel laggy?
What if I just want to isolate one specific site, like a webmail product?
Can I use this to safely interact with AI tools?
How does this differ from a VDI?
Try it live
If your device is enrolled in Cloudflare WARP with a Browser Isolation Gateway policy applied, opening the link below will render blog.cloudflare.com in an isolated browser session rather than locally. Watch the browser address bar — you'll see a Cloudflare-issued isolated session URL.
Try it live on a configured target
Click below to visit a target site. If your device is enrolled in Cloudflare Gateway with a Browser Isolation policy applied, the request will be handled by Cloudflare automatically.
Open https://blog.cloudflare.com ↗Note: behavior depends on your device's Cloudflare Gateway configuration.