Skip to main content

Browser DLP

Browser data loss prevention (DLP) stops sensitive data from leaving your organization through the four browser channels attackers and careless users rely on: paste, file upload, file download, and print. Enforcement happens inside the managed browser extension, so the data never has to leave the endpoint to be inspected — the platform receives only the event metadata (what kind of content, on which site, what action was taken).

Two layers make up browser DLP. Settings > Data Loss Prevention sets the global download and print posture for every managed endpoint. Security policies add targeted paste, upload, download, and print rules with conditions (which sites, which file types, which content) and per-rule actions. GenAI sites get an additional dedicated layer described in GenAI Governance.

Screenshot

[SCREENSHOT PLACEHOLDER: The Data Loss Prevention settings page showing the Download Policy options (Allow, Log Only, Block Risky, Block All) and the Print Policy options (Allow, Log Only, Block)]

How it works

The extension watches the four channels on managed endpoints:

  • Paste — when a user pastes into a text input on a monitored site, the pasted text is analyzed locally by the sensitive-data detectors (below). If a rule matches, the paste can be blocked before it lands in the field, or allowed with a warning.
  • File upload — file-picker selections and drag-and-drop files are checked against rule conditions such as file extension and file size. A blocked file is removed from the upload before the site can submit it.
  • File download — downloads are checked both at the click (download links on restricted sites) and at the browser level, where the global Download Policy can cancel risky or all downloads.
  • Print — the print shortcut (Ctrl+P / Cmd+P) and the page's own print function are intercepted. Under a Block print policy, printing is prevented; under Log Only, the event is recorded.

When an action is warned or blocked, the user sees a brief on-page notification explaining what happened — for example Paste Blocked, Sensitive Data Detected, Upload Blocked, Download Blocked, or Print Blocked — with either the default explanation or a custom message you set on the rule.

Sensitive-data detectors

Paste and content inspection uses a built-in detector library, evaluated locally in the browser:

DetectorExamples
Email addressesuser@company.com
Social Security numbersseparator or labeled forms
Credit card numbers16-digit grouped forms
Phone numbersformatted numbers with separators or parentheses
API keyscommon provider key formats (OpenAI, AWS access keys, GitHub, GitLab, Slack)
JWT tokensthree-part signed tokens
Private keys and certificatesPEM headers
Secret assignmentspassword=..., api_key: ..., Bearer ... tokens
AWS secret-like tokens40-character secret-shaped strings (deliberately broad)
Connection stringsdatabase and message-broker URLs, JDBC strings
Source codeheuristic scoring with adjustable sensitivity
Large textconfigurable character threshold
Custom patternsyour own plain-text or regular-expression patterns

Detectors are tuned to minimize false positives (for example, a bare 10-digit number is not treated as a phone number, and 40-character lowercase hashes are not treated as AWS secrets).

Which control lives where

ChannelGlobal setting (Settings > Data Loss Prevention)Targeted policy ruleGenAI-specific layer
PastePaste Sensitive Data, Paste Large Text, Paste CodeContent Restrictions detectors and custom patterns
File uploadUpload file with extension/size conditionsUpload size, blocked extensions, sensitive-content scanning
File downloadDownload Policy (all sites)Download File on matched sitesBlock all file downloads from GenAI sites
PrintPrint Policy (all sites)Print Page on matched sites

Where layers overlap, the stricter outcome wins — an explicit block from any layer is enforced.

Using the page: Settings > Data Loss Prevention

Open Settings and choose Data Loss Prevention. These settings apply globally to all managed browser extensions.

Download Policy

OptionBehavior
AllowNo restrictions on file downloads
Log OnlyMonitor and log all downloads without blocking
Block RiskyBlock potentially dangerous file types (.exe, .bat, .ps1, .js, etc.)
Block AllBlock all file downloads

Block Risky targets executable and scriptable formats — Windows executables and installers, script files, shared libraries, and package/installer formats across Windows, macOS, and Linux. Ordinary documents and media are unaffected.

OptionBehavior
AllowNo restrictions on printing
Log OnlyMonitor and log all print events without blocking
BlockBlock all printing (Ctrl+P and window.print)

Click Save Changes to apply. Saving requires you to re-enter your password. Settings sync to extensions via policy updates.

Screenshot

[SCREENSHOT PLACEHOLDER: An endpoint browser showing the on-page "Download Blocked" notification after a user attempts to download an executable under the Block Risky policy]

Targeted rules via security policies

For anything more surgical than the global toggles, add DLP rules to your security policies (see Policies). A policy rule can trigger on these user actions:

  • Paste Sensitive Data — any of the sensitive-data detectors matched the pasted text (you can restrict to specific data types).
  • Paste Large Text — the paste exceeded a character-count condition.
  • Paste Code — the code heuristic matched.
  • Upload file — optionally conditioned on file extension and file size.
  • Download File and Print Page — on sites matched by the rule.

Conditions can also scope rules by site domain, URL path, and custom content patterns (plain text or regular expressions), combined with and/or logic. Each rule carries its own action — record only, warn, or block — and an optional custom message shown to the user. Because rules are scoped, you can, for example, block pasting API keys everywhere except your own issue tracker, or block printing only on your HR system.

Screenshot

[SCREENSHOT PLACEHOLDER: The policy rule editor with a User Action condition of "Paste Sensitive Data" and a Block action configured for a specific site domain]

Actions and how violations surface

Every DLP rule resolves to one of three outcomes:

ActionUser experienceRecorded
Log (monitor)Nothing — the action proceeds silentlyYes, as a logged event
WarnOn-page warning notification; the action proceedsYes, as a warned event
BlockThe paste/upload/download/print is prevented, with a notificationYes, as a blocked event

All events feed your analytics and dashboards. Warned and blocked events additionally create a DLP violation alert in your alert queue, with a description of what happened (for example, "paste of api_key blocked on <site>" or "file upload warned on <site>") and a severity you can adjust per alert type. Alerts follow your normal triage workflow — acknowledge, investigate, resolve — and are forwarded to your SIEM like any other alert. See Alerts.

Logged (monitor-only) events do not raise alerts; they exist so you can measure a control before enforcing it.

note

The policy auto-tuner analyzes your DLP event history and can propose rule and threshold changes — for example, relaxing a detector that generates constant false positives on one internal site. Proposals always require human review and approval; the tuner never enforces a change on its own. See Policy Auto-Tuner.

Worked example: stopping secrets from leaving via paste

An engineering organization wants to stop credentials being pasted into external web tools without disrupting normal work.

  1. Baseline. Create a policy rule: user action Paste Sensitive Data, restricted to the API-key and secret-assignment data types, action set to log only. Run it for two weeks.
  2. Review. The AI Usage dashboard and alert analytics show most detections happen on a partner support portal (legitimate, keys are test-only) and a handful on paste-sharing sites (not legitimate).
  3. Enforce. Change the rule's action to Block, and add a site-domain condition that excludes the partner portal. Add a custom message: "Pasting credentials into external sites is blocked. Use the secrets vault to share keys."
  4. Operate. A developer pastes a live key into a public paste site; the paste is blocked, the on-page notification explains why, and a DLP violation alert appears in the triage queue with the site and data type — no key ever left the browser.
  5. Tune. A month later, the auto-tuner proposes narrowing one detector that flagged a false positive pattern on an internal wiki. You review and approve the proposal.

Troubleshooting

A blocked download still appeared in the user's download bar. Blocked downloads are canceled as they start; a canceled entry may briefly appear before it is removed. Verify the file itself did not complete.

Print blocking does not stop screenshots or photos of the screen. Correct — print controls govern the browser print pipeline (shortcut and page print calls). They are one layer of a defense-in-depth posture, not a screen-capture control.

Users report a paste was blocked that should not have been. Check which rule fired (the alert names the content type and rule). Narrow the rule's data types, add a site exclusion, or lower the code-detection sensitivity. Recurring false positives are exactly what the policy auto-tuner is designed to surface.

I set Block Risky but a user downloaded a macro-enabled document. Block Risky targets executable and scriptable file types. Documents — including macro-enabled ones — are not in that set; use Block All or a targeted Download File policy rule for stricter postures.

Where do the GenAI-specific paste and upload controls live? On the GenAI settings page, which layers AI-site-specific enforcement (approved sites, per-category PII scanning, upload size and extension rules) on top of the global DLP described here. See GenAI Governance.

How quickly do saved changes take effect? DLP settings sync to extensions with policy updates, so allow up to one policy sync interval (60 minutes by default) or an extension restart before expecting the new behavior on endpoints.