cloudflare · asamborski · Feb 20, 2026 · Feb 20, 2026 · Feb 27, 2026 · Feb 28, 2026
@@ -0,0 +1,26 @@
+---
+title: Clipboard controls for browser-based RDP
+description: Administrators can now restrict copy and paste actions between a user's local machine and their browser-based RDP session.
+date: 2026-03-01
+products:
+  - access
+---
+
+You can now configure clipboard controls for browser-based RDP with Cloudflare Access. Clipboard controls allow administrators to restrict whether users can copy or paste text between their local machine and the remote Windows server.
+
+![Enable users to copy and paste content from their local machine to remote RDP sessions in the Cloudflare One dashboard](~/assets/images/changelog/access/rdp-clipboard-controls.png)
+
+This feature is useful for organizations that support bring-your-own-device (BYOD) policies or third-party contractors using unmanaged devices. By restricting clipboard access, you can prevent sensitive data from being transferred out of the remote session to a user's personal device.
+
+## Configuration options
+
+Clipboard controls are configured per policy within your Access application. For each policy, you can independently allow or deny:
+
+- **Copy from local client to remote RDP session** — Users can copy/paste text from their local machine into the browser-based RDP session.
+- **Copy from remote RDP session to local client** — Users can copy/paste text from the browser-based RDP session to their local machine.
+
+By default, both directions are denied for new policies. For existing Access applications created before this feature was available, clipboard access remains enabled to preserve backwards compatibility.
+
+When a user attempts a restricted clipboard action, the clipboard content is replaced with an error message informing them that the action is not allowed.
+
+For more information, refer to [Configure clipboard controls for browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#configure-clipboard-controls).
@@ -17,6 +17,7 @@ An Access policy consists of an **Action** as well as rules which determine the
 - [Actions](#actions)
 - [Rule types](#rule-types)
 - [Selectors](#selectors)
+- [Connection context](#connection-context)
 
 ## Actions
 
@@ -166,6 +167,19 @@ of initial sign on and when reissuing the SaaS session. Once the user has
 authenticated to the SaaS app, session management falls solely within the
 purview of the SaaS app.
 
+## Connection context
+
+Connection context settings allow you to control how users interact with an application after they have been granted access. While [selectors](#selectors) determine who can access an application, connection context settings determine what actions users can take during their session.
+
+Connection context is configured per policy, allowing you to grant different permissions to different groups of users. For example, you could allow full-time employees to copy data from a remote RDP session while restricting contractors to read-only access.
+
+The available connection context settings depend on the application type:
+
+| Application type | Available settings |
+| --- | --- |
+| [Infrastructure (SSH)](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames |
+| [Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#configure-clipboard-controls) | Clipboard controls (copy/paste restrictions) |
+
 ## Order of execution
 
 Policies are evaluated based on their action type and ordering. Bypass and Service Auth policies are evaluated first, from top to bottom as shown in the UI. Then, Block and Allow policies are evaluated based on their order.

@@ -6,7 +6,7 @@ sidebar:
   label: Browser-based RDP
 ---
 
-import { Render, GlossaryTooltip, Details } from "~/components";
+import { Render, GlossaryTooltip, Details, Tabs, TabItem, APIRequest } from "~/components";
 
 Users can connect to an RDP server without installing an RDP client or the [WARP client](/cloudflare-one/team-and-resources/devices/warp/) on their device. Browser-based RDP leverages [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/), which creates a secure, outbound-only connection from your RDP server to Cloudflare's global network. Setup involves running the `cloudflared` daemon on the RDP server (or any other host machine within the private network) and routing RDP traffic over a public hostname.
 
@@ -109,29 +109,30 @@ The DNS record does not need to point to an active destination IP address or hos
 
 12. <Render file="access/add-access-policies" product="cloudflare-one" />
 
-
 	<Render file="access/self-hosted-app/browser-rendering-policies" product="cloudflare-one" />
 
-13. <Render file="access/access-choose-idps" product="cloudflare-one" params={{ appType: "rdp" }}/>
+13. (Optional) [Configure clipboard controls](#configure-clipboard-controls) to restrict copy and paste actions between the user's local machine and the browser-based RDP session.
+
+14. <Render file="access/access-choose-idps" product="cloudflare-one" params={{ appType: "rdp" }}/>
 
-14. Select **Next**.
+15. Select **Next**.
 
-15. (Recommended) Turn on **Show application in App Launcher** and configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL.
+16. (Recommended) Turn on **Show application in App Launcher** and configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL.
 
         :::note
         Ensure that users match an Allow rule in your [App Launcher policies](/cloudflare-one/access-controls/access-settings/app-launcher/#enable-the-app-launcher).
         :::
 
-16. <Render file="access/access-block-page" product="cloudflare-one" />
+17. <Render file="access/access-block-page" product="cloudflare-one" />
 
-17. Select **Next**.
+18. Select **Next**.
 
-18. <Render
+19. <Render
     	file="access/self-hosted-app/advanced-settings"
     	product="cloudflare-one"
     />
 
-19. Select **Save**.
+20. Select **Save**.
 
 ## 5. (Recommended) Modify order of precedence in Gateway
 
@@ -168,11 +169,109 @@ To connect to a Windows machine over RDP:
    :::
 
 4. Select the port that you want to connect to. The port selection screen only appears if the Access application allows RDP traffic on multiple ports (for example, port `3389` and port `65321`).
-5. (Optional) In your browser settings, allow the Access application to access the clipboard. Clipboard permissions grant the ability to copy or paste text between the local machine and the remote Windows machine.
+5. (Optional) In your browser settings, allow the Access application to access the clipboard. Clipboard access is subject to [policy restrictions](#configure-clipboard-controls) configured by your administrator.
 6. Enter your Windows username and password. For more information on how to format your username, refer to [User identifier formats](#user-identifier-formats).
 
 You now have access to the remote Windows desktop.
 
+## Configure clipboard controls
+
+Clipboard controls allow you to restrict whether users can copy or paste text between their local machine and the browser-based RDP session. They are are configured per policy within your Access application. You can configure different clipboard permissions for different groups of users by creating multiple policies.
+
+### Default behavior
+
+- **New policies**: Clipboard access is denied by default. You must explicitly allow clipboard actions.
+- **Existing applications**: Access applications for browser-based RDP created before this feature was available retain full clipboard access to preserve backward compatibility.
+
+### Available settings
+
+For each policy, you can independently allow or deny the following clipboard actions:
+
+| Setting | Description |
+| --- | --- |
+| **Client to remote RDP session allowed** | Users can copy and paste text from their local client into the browser-based RDP session. |
+| **Remote RDP session to client allowed** | Users can copy and paste text from the browser-based RDP session to their local client. |
+| **Both directions allowed** | Users can copy and paste text between the browser-based RDP session and their local client. |
+
+When a user attempts a restricted clipboard action, the clipboard content is replaced with a message informing them that the action is not allowed.
+
+### Configure clipboard controls
+
+<Tabs syncKey="dashPlusAPI">
+<TabItem label="Dashboard">
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to Zero Trust > **Access controls** > **Applications**.
+2. Locate your browser-based RDP application and select **Configure**.
+3. Select the **Policies** tab.
+4. Create a new policy or select an existing policy to edit.
+5. Expand **Connection context**.
+6. Under **RDP data flow control**, configure the following settings:
+    - Turn on **Client to remote RDP session allowed** to allow users to copy and paste text from their local client into the browser-based RDP session.
+    - Turn on **Remote RDP session to client allowed** to allow users to copy and paste text from the browser-based RDP session to their local client.
+		- Turn on **Both directions allowed** to allow users to copy and paste text between the browser-based RDP session and their local client.
+7. Select **Save policy**.
+
+</TabItem>
+<TabItem label="API">
+
+When creating or updating a policy for an RDP application, include the `connection_rules.rdp` object:
+
+<APIRequest
+	path="/accounts/{account_id}/access/apps/{app_id}/policies"
+	method="POST"
+	json={{
+		name: "Allow engineers with restricted clipboard",
+		decision: "allow",
+		include: [
+			{
+				email_domain: {
+					domain: "example.com",
+				},
+			},
+		],
+		connection_rules: {
+			rdp: {
+				allow_local_clipboard_to_remote: true,
+				allow_remote_clipboard_to_local: false,
+			},
+		},
+	}}
+/>
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `allow_local_clipboard_to_remote` | boolean | When `true`, users can paste text from their local client to the browser-based RDP session. Defaults to `false`. |
+| `allow_remote_clipboard_to_local` | boolean | When `true`, users can copy text from the browser-based RDP session to their local client. Defaults to `false`. |
+
+</TabItem>
+<TabItem label="Terraform">
+
+Use the `connection_rules` block within a [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_policy) resource:
+
+```tf
+resource "cloudflare_zero_trust_access_policy" "rdp-policy" {
+	application_id = cloudflare_zero_trust_access_application.rdp-app.id
+	account_id     = var.cloudflare_account_id
+	name           = "Allow engineers with restricted clipboard"
+	decision       = "allow"
+	precedence     = 1
+
+	include {
+		email_domain = ["example.com"]
+	}
+
+	connection_rules {
+		rdp {
+			allow_local_clipboard_to_remote = true
+			allow_remote_clipboard_to_local = false
+		}
+	}
+}
+```
+
+</TabItem>
+</Tabs>
+
 ## Compatibility
 
 ### RDP server operating systems
@@ -263,7 +362,7 @@ The login flow differs slightly when using an Microsoft Entra ID-bound username:
 - **WARP authentication**: Since browser-based RDP traffic does not go through the WARP client, users cannot use their [WARP session identity](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/#configure-warp-sessions-in-access) to authenticate.
 - **Audio over RDP**: Users cannot use their microphone and speaker to interact with the remote machine.
 - **Clipboard size limit**: Data copied between the local machine and the browser-based RDP session may not exceed 500 KB.
-- **Clipboard controls**: Admins do not have the ability to restrict copy/paste actions between the remote machine and the user's local clipboard.
-- **File transfers**: Users cannot copy/paste files from their local machine to the remote machine and vice versa.
+- **Clipboard data types**: Clipboard controls only support text data. Image and file clipboard transfers are not supported.
+- **File transfers**: Users cannot transfer files from their local machine to the remote machine and vice versa.
 - **Print to local printer**: Users cannot print information from their browser-based RDP session to a printer in their local network.
 - **Network Level Authentication for Entra-joined accounts**: Browser-based RDP does not support PKU2U authentication which is required for [Network Level Authentication (NLA)](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/remote-desktop-allow-access#why-allow-connections-only-with-network-level-authentication) with Entra-joined accounts. Connecting to Entra-joined accounts requires disabling enforcement of NLA on the remote Windows machine. You can disable NLA from **Settings** > **System** > **Remote Desktop**, or use the Local Group Policy Editor to disable **Require user authentication for remote connections by using Network Level Authentication**.