[AI Gateway] Add documentation for DLP on AI Gateway (#24778)

thebongy · Rishit Bansal · web-flow · commit d11e4d321b44 · 2025-09-03T00:15:30.000+05:30
Co-authored-by: Rishit Bansal &lt;rbansal@cloudflare.com&gt;
diff --git a/src/content/docs/ai-gateway/features/dlp/index.mdx b/src/content/docs/ai-gateway/features/dlp/index.mdx
@@ -0,0 +1,61 @@
+---
+pcx_content_type: concept
+title: Data Loss Prevention (DLP)
+sidebar:
+  order: 5
+  group:
+    badge: Beta
+---
+
+import { Feature } from "~/components";
+
+
+Data Loss Prevention (DLP) for AI Gateway helps protect your organization from inadvertent exposure of sensitive data through AI interactions. By integrating with Cloudflare's proven DLP technology, AI Gateway can scan both incoming prompts and outgoing AI responses for sensitive information, ensuring your AI applications maintain security and compliance standards.
+
+## How it works
+
+AI Gateway DLP leverages the same powerful detection engines used in [Cloudflare's Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) solution to scan AI traffic in real-time. The system analyzes both user prompts sent to AI models and responses received from AI providers, identifying sensitive data patterns and taking appropriate protective actions.
+
+
+## Key benefits
+
+- **Prevent data leakage**: Stop sensitive information from being inadvertently shared with AI providers or exposed in AI responses
+- **Maintain compliance**: Help meet regulatory requirements like GDPR, HIPAA, and PCI DSS
+- **Consistent protection**: Apply the same DLP policies across all AI providers and models
+- **Audit visibility**: Comprehensive logging and reporting for security and compliance teams
+- **Zero-code integration**: Enable protection without modifying existing AI applications
+
+## Supported AI traffic
+
+AI Gateway DLP can scan:
+
+- **User prompts** - Content submitted to AI models, including text, code, and structured data
+- **AI responses** - Output generated by AI models before being returned to users
+
+The system works with all AI providers supported by AI Gateway, providing consistent protection regardless of which models or services you use.
+
+## Integration with Cloudflare DLP
+
+AI Gateway DLP uses the same detection profiles and policies as Cloudflare's enterprise DLP solution. This means:
+
+- **Unified management** - Configure DLP policies once and apply them across web traffic, email, SaaS applications, and AI interactions
+- **Consistent detection** - The same sensitive data patterns are detected across all channels
+- **Centralized reporting** - All DLP events appear in the same dashboard and logs
+- **Shared profiles** - Reuse existing DLP detection profiles for AI traffic
+
+For more information about Cloudflare's DLP capabilities, refer to the [Data Loss Prevention documentation](/cloudflare-one/policies/data-loss-prevention/).
+
+## Getting started
+
+To enable DLP for your AI Gateway:
+
+1. [Set up DLP policies](/ai-gateway/features/dlp/set-up-dlp/) for your AI Gateway
+2. Configure detection profiles and response actions
+3. Monitor DLP events through the Cloudflare dashboard
+
+## Related resources
+
+- [Set up DLP for AI Gateway](/ai-gateway/features/dlp/set-up-dlp/)
+- [Cloudflare Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/)
+- [AI Gateway Security Features](/ai-gateway/features/guardrails/)
+- [DLP Detection Profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/)
diff --git a/src/content/docs/ai-gateway/features/dlp/set-up-dlp.mdx b/src/content/docs/ai-gateway/features/dlp/set-up-dlp.mdx
@@ -0,0 +1,197 @@
+---
+pcx_content_type: how-to
+title: Set up Data Loss Prevention (DLP)
+sidebar:
+  order: 2
+---
+
+Add Data Loss Prevention (DLP) to any AI Gateway to start scanning AI prompts and responses for sensitive data.
+
+## Prerequisites
+
+- An existing [AI Gateway](/ai-gateway/get-started/)
+
+## Enable DLP for AI Gateway
+
+1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
+2. Go to **AI** > **AI Gateway**.
+3. Select a gateway where you want to enable DLP.
+4. Go to the **Firewall** tab.
+5. Toggle **Data Loss Prevention (DLP)** to **On**.
+
+## Add DLP policies
+
+After enabling DLP, you can create policies to define how sensitive data should be handled:
+
+1. Under the DLP section, click **Add Policy**.
+2. Configure the following fields for each policy:
+   - **Policy ID**: Enter a unique name for this policy (e.g., "Block-PII-Requests")
+   - **DLP Profiles**: Select the DLP profiles to check against. AI requests/responses will be checked against each of the selected profiles. Available profiles include:
+     - **Financial Information** - Credit cards, bank accounts, routing numbers
+     - **Personal Identifiable Information (PII)** - Names, addresses, phone numbers  
+     - **Government Identifiers** - SSNs, passport numbers, driver's licenses
+     - **Healthcare Information** - Medical record numbers, patient data
+     - **Custom Profiles** - Organization-specific data patterns
+     
+     :::note
+     DLP profiles can be created and managed in the [Zero Trust DLP dashboard](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/).
+     :::
+
+   - **Action**: Choose the action to take when any of the selected profiles match:
+     - **Flag** - Record the detection for audit purposes without blocking
+     - **Block** - Prevent the request/response from proceeding
+
+   - **Check**: Select what to scan:
+     - **Request** - Scan user prompts sent to AI providers
+     - **Response** - Scan AI model responses before returning to users
+     - **Both** - Scan both requests and responses
+
+3. Click **Save** to save your policy configuration.
+
+## Manage DLP policies
+
+You can create multiple DLP policies with different configurations:
+
+- **Add multiple policies**: Click **Add Policy** to create additional policies with different profile combinations or actions
+- **Enable/disable policies**: Use the toggle next to each policy to individually enable or disable them without deleting the configuration
+- **Edit policies**: Click on any existing policy to modify its settings
+- **Save changes**: Always click **Save** after making any changes to apply them
+
+## Test your configuration
+
+After configuring DLP settings:
+
+1. Make a test AI request through your gateway that contains sample sensitive data.
+2. Check the **AI Gateway Logs** to verify DLP scanning is working.
+3. Review the detection results and adjust profiles or actions as needed.
+
+## Monitor DLP events
+
+### Viewing DLP logs in AI Gateway
+
+DLP events are integrated into your AI Gateway logs:
+
+1. Go to **AI** > **AI Gateway** > your gateway > **Logs**.
+2. Click on any log entry to view detailed information. For requests where DLP policies were triggered, additional details are included:
+   - **DLP Action Taken**: Shows whether the action was "Flag" or "Block"
+   - **DLP Policies Matched**: Detailed information about each policy that matched, including:
+     - Which DLP profiles triggered within each policy
+     - Whether the match occurred in the request or response
+     - Specific entries that matched within each DLP profile
+
+### Filter DLP events
+
+To view only DLP-related requests:
+
+1. On the **Logs** tab, click **Add Filter**.
+2. Select **DLP Action** from the filter options.
+3. Choose to filter by:
+   - **FLAG** - Show only requests where sensitive data was flagged
+   - **BLOCK** - Show only requests that were blocked due to DLP policies
+
+
+## Error handling
+
+When DLP policies are triggered, your application will receive additional information through response headers and error codes.
+
+### DLP response header
+
+When a request matches DLP policies (whether flagged or blocked), an additional `cf-aig-dlp` header is returned containing detailed information about the match:
+
+#### Header schema
+
+```json
+{
+  "findings": [
+    {
+      "profile": {
+        "context": {},
+        "entry_ids": ["string"],
+        "profile_id": "string"
+      },
+      "policy_ids": ["string"],
+      "check": "REQUEST" | "RESPONSE"
+    }
+  ],
+  "action": "BLOCK" | "FLAG"
+}
+```
+
+#### Example header value
+
+```json
+{
+  "findings": [
+    {
+      "profile": {
+        "context": {},
+        "entry_ids": ["a1b2c3d4-e5f6-7890-abcd-ef1234567890", "f7e8d9c0-b1a2-3456-789a-bcdef0123456"],
+        "profile_id": "12345678-90ab-cdef-1234-567890abcdef"
+      },
+      "policy_ids": ["block_financial_data"],
+      "check": "REQUEST"
+    }
+  ],
+  "action": "BLOCK"
+}
+```
+
+Use this header to programmatically detect which DLP profiles and entries were matched, which policies triggered, and whether the match occurred in the request or response.
+
+### Error codes for blocked requests
+
+When DLP blocks a request, your application will receive structured error responses:
+
+- **Request blocked by DLP**
+  - `"code": 2029`
+  - `"message": "Request content blocked due to DLP policy violations"`
+
+- **Response blocked by DLP**
+  - `"code": 2030`
+  - `"message": "Response content blocked due to DLP policy violations"`
+
+Handle these errors in your application:
+
+```js
+try {
+  const res = await env.AI.run('@cf/meta/llama-3.1-8b-instruct', {
+    prompt: userInput
+  }, {
+    gateway: {id: 'your-gateway-id'}
+  })
+  return Response.json(res)
+} catch (e) {
+  if ((e as Error).message.includes('2029')) {
+    return new Response('Request contains sensitive data and cannot be processed.')
+  }
+  if ((e as Error).message.includes('2030')) {
+    return new Response('AI response was blocked due to sensitive content.')
+  }
+  return new Response('AI request failed')
+}
+```
+
+## Best practices
+
+- **Start with flagging**: Begin with "Flag" actions to understand what data is being detected before implementing blocking
+- **Tune confidence levels**: Adjust detection sensitivity based on your false positive tolerance
+- **Use appropriate profiles**: Select DLP profiles that match your data protection requirements
+- **Monitor regularly**: Review DLP events to ensure policies are working as expected
+- **Test thoroughly**: Validate DLP behavior with sample sensitive data before production deployment
+
+## Troubleshooting
+
+### DLP not triggering
+
+- Verify DLP toggle is enabled for your gateway
+- Ensure selected DLP profiles are appropriate for your test data
+- Confirm confidence levels aren't set too high
+
+### Unexpected blocking
+
+- Review DLP logs to see which profiles triggered
+- Consider lowering confidence levels for problematic profiles
+- Test with different sample data to understand detection patterns
+- Adjust profile selections if needed
+
+For additional support with DLP configuration, refer to the [Cloudflare Data Loss Prevention documentation](/cloudflare-one/policies/data-loss-prevention/) or contact your Cloudflare support team.
diff --git a/src/content/docs/ai-gateway/features/index.mdx b/src/content/docs/ai-gateway/features/index.mdx
@@ -70,6 +70,20 @@ Deploy AI applications safely with real-time content moderation. Automatically d
 
 </Feature>
 
+<Feature header="Data Loss Prevention (DLP)" href="/ai-gateway/features/dlp/">
+
+Protect your organization from inadvertent exposure of sensitive data through AI interactions. Scan prompts and responses for PII, financial data, and other sensitive information.
+
+**Key benefits:**
+
+- Real-time scanning of AI prompts and responses
+- Detection of PII, financial, healthcare, and custom data patterns
+- Configurable actions: flag or block sensitive content
+- Integration with Cloudflare's enterprise DLP solution
+- Compliance support for GDPR, HIPAA, and PCI DSS
+
+</Feature>
+
 <Feature header="Authentication" href="/ai-gateway/configuration/authentication/">
 
 Secure your AI Gateway with token-based authentication. Control access to your gateways and protect against unauthorized usage.
@@ -157,19 +171,19 @@ Override default pricing with your negotiated rates or custom cost models. Apply
 
 ## Feature Comparison by Use Case
 
-| Use Case                   | Recommended Features                        |
-| -------------------------- | ------------------------------------------- |
-| **Cost Optimization**      | Caching, Rate Limiting, Custom Costs        |
-| **High Availability**      | Fallbacks using Dynamic Routing             |
-| **Security & Compliance**  | Guardrails, Authentication, BYOK, Logging   |
-| **Performance Monitoring** | Analytics, Logging, Custom Metadata         |
-| **A/B Testing**            | Dynamic Routing, Custom Metadata, Analytics |
+| Use Case                   | Recommended Features                            |
+| -------------------------- | ----------------------------------------------- |
+| **Cost Optimization**      | Caching, Rate Limiting, Custom Costs            |
+| **High Availability**      | Fallbacks using Dynamic Routing                 |
+| **Security & Compliance**  | Guardrails, DLP, Authentication, BYOK, Logging  |
+| **Performance Monitoring** | Analytics, Logging, Custom Metadata             |
+| **A/B Testing**            | Dynamic Routing, Custom Metadata, Analytics     |
 
 ## Getting Started with Features
 
 1. **Start with the basics**: Enable [Caching](/ai-gateway/features/caching/) and [Analytics](/ai-gateway/observability/analytics/) for immediate benefits
 2. **Add reliability**: Configure Fallbacks and Rate Limiting using [Dynamic routing](/ai-gateway/features/dynamic-routing/)
-3. **Enhance security**: Implement [Guardrails](/ai-gateway/features/guardrails/) and [Authentication](/ai-gateway/configuration/authentication/)
+3. **Enhance security**: Implement [Guardrails](/ai-gateway/features/guardrails/), [DLP](/ai-gateway/features/dlp/), and [Authentication](/ai-gateway/configuration/authentication/)
 
 ---
 
