What is a secure web gateway (SWG)?

A secure web gateway (SWG) blocks or filters out dangerous content and prevents data leakage. All employee Internet traffic passes through the SWG.

Learning Objectives

After reading this article you will be able to:

  • Understand what a secure web gateway is
  • Learn how secure web gateways work
  • Learn about application control, URL filtering, and other important SWG capabilities

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is a secure web gateway (SWG)?

secure web gateway

A secure web gateway (SWG) is a cyber security product that protects company data and enforces security policies. SWGs operate in between company employees and the Internet. Like a water filter, which removes dangerous impurities from water so that it is safe to drink, SWGs filter unsafe content from web traffic to stop cyber threats and data breaches. They also block risky or unauthorized user behavior.

All SWG products contain these technologies:

  • URL filtering
  • Anti-malware detection and blocking
  • Application control

SWGs may also include data loss prevention (DLP), content filtering, and other Internet traffic filters.

Why use a secure web gateway?

In the past, business processes largely took place within an internal corporate network. But with an increased reliance on remote workforces and on cloud computing, organizations have to use the Internet in addition to or instead of their internal private networks. And the variety and numbers of threats present on the Internet, from phishing attacks to malware-infected webpages, have made SWGs essential for many organizations.

How does a secure web gateway work?

Some SWGs run on proxy servers. A proxy server represents another device on the Internet. It makes requests and receives responses on behalf of a client device (e.g. a user's laptop) or another server. For secure web gateways, this proxy server can either be an actual physical server or a virtual machine in the cloud.

Other SWGs are software only; software-based gateways can run either on a company's premises or in the cloud as a SaaS application. And finally, some SWGs are deployed as on-premise appliances: physical hardware devices that plug into a company's IT infrastructure.

No matter where they run or how they are deployed, all SWGs work in roughly the same way. When a client device sends a request to a website or application on the Internet, the request travels through the SWG first. The gateway inspects the request and passes it along only if it does not violate established security policies, just as security guards may inspect a person's possessions at a physical security checkpoint before allowing them through. A similar process occurs in reverse: all incoming data is inspected by the SWG before it is passed along to users.

Because SWGs can run anywhere, they are especially helpful for managing remote employees. By requiring remote workers to access the Internet through a secure web gateway, companies that rely on a distributed workforce can better prevent data breaches, even if they do not have direct control over their employees' devices or networks.

How do secure web gateways enforce security policies?

A security policy is a rule that all data and network traffic within a company must conform to. For instance, suppose a company sets up a policy that all network traffic must be encrypted. Enforcing this policy would involve blocking websites that do not use HTTPS. A secure web gateway is one way to implement this policy, as it can filter out all non-HTTPS network traffic.

SWGs can perform a number of actions on the web traffic they inspect and forward in order to enforce security policies:

URL filtering

A URL is the string of text that appears in the top of a browser when it loads a webpage: for instance, https://www.cloudflare.com/learning/. URL filtering is therefore a way to control which websites a user can load.

URL filtering typically involves the use of a blocklist: a list of known bad websites that are not allowed. If a user attempts to load a website that is on the blocklist, the SWG blocks the request and the website does not load on the user's device.

Anti-malware scanning

SWGs scan network traffic for malware, meaning they examine the data passing through and see if it matches up with code from known malware. Some gateways also use sandboxing to test for malware: they execute potentially malicious code in a controlled environment to see how it behaves. If malware is detected, the gateway blocks it.

A lot of network traffic on the Internet is encrypted* with HTTPS. Many SWGs can decrypt HTTPS traffic in order to scan the traffic for malware. After inspection, the gateway re-encrypts the traffic and forwards it to the user or the web server. This process is called HTTPS inspection.

*Encryption is the process of altering data so that it appears to be random. Encrypted data cannot be read until it is decrypted. Decryption is the reverse of the encryption process.

Application control

SWGs can detect which applications employees are using. Based on that, they can control what resources different applications can access or block certain applications altogether. Some SWGs offer even greater degrees of control over application usage: for example, they can control application use based upon a user's identity or location.

Other SWG capabilities include:

  • Content filtering: This feature detects certain kinds of content and blocks that content. For instance, content filtering can block explicit videos or photos from entering a corporate network. Company IT administrators can usually customize their secure web gateway's content filtering policy.
  • Data loss prevention (DLP): This feature is not offered by all web security gateways, but it can be highly effective for preventing breaches. DLP is somewhat like content filtering in reverse: instead of stopping content from coming into a network, it keeps content from leaving a network. DLP detects when confidential data is going out from a company-controlled environment and redacts or blocks the data to prevent it from leaking. For example, DLP could be set up to detect and redact all 16-digit numbers sent in employee emails in order to stop confidential credit card numbers from leaving the network.

How do secure web gateways fit into a SASE model?

SASE, or secure access service edge, bundles networking functions with various security functions (such as SWGs), and delivers them from a single global network.

Like many security products, an SWG is a single-solution product that is often managed separately from other networking and network security functions. With a SASE framework in place, however, companies can implement and maintain their networks and network security from a single cloud-based vendor.

How does Cloudflare Gateway keep web traffic secure?

Cloudflare Gateway offers comprehensive security for internal teams on the Internet, protecting both employees and internal corporate data. Cloudflare Gateway uses DNS filtering to block malicious content, gives administrators complete visibility of network traffic, and protects users from malicious online code with browser isolation.

Explore the capabilities of Cloudflare Gateway.