Replace insecure JavaScript libraries
This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.
This rewrite operation currently supports the polyfill
JavaScript library hosted in polyfill.io
.
How it works
When turned on, Cloudflare will check HTTP(S) proxied traffic for script
tags with an src
attribute pointing to a potentially insecure service and replace the src
value with the equivalent link hosted under CDNJS.
The rewritten URL will keep the original URL scheme (http://
or https://
).
For polyfill.io
URL rewrites, all 3.*
versions of the polyfill
library are supported under the /v3
path. Additionally, the /v2
path is also supported. If an unknown version is requested under the /v3
path, Cloudflare will rewrite the URL to use the latest 3.*
version of the library (currently 3.111.0
).
Availability
The feature is available in all Cloudflare plans, and is turned on by default on Free plans.
Configure
- Log in to the Cloudflare dashboard and select your account and zone.
- Go to Security > Settings.
- For Replace insecure JavaScript libraries, switch the toggle to On or Off.
Issue a PATCH
request similar to the following:
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/replace_insecure_js" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{ "value": "on" }'
Final remarks
Since pages.dev
zones are on a Free plan, the Replace insecure JavaScript libraries feature is turned on by default on these zones and it is not possible to turn it off.