This detection technique gathers general data about the machines reaching Cloudflare. For example, Cloudflare might learn that a particular user is accessing Cloudflare via Google Chrome on a MacBook Pro. Because there are millions of people using Google Chrome on a MacBook Pro, Cloudflare cannot identify specific individuals. Cloudflare also takes steps to anonymize and phase out data for added privacy.
If you enabled Bot Management before June 2020
If you have a Content Security Policy (CSP)
If you have a Content Security Policy (CSP):
- Ensure that anything under
/cdn-cgi/challenge-platform/is allowed. Your CSP should allow scripts served from your origin domain (
- If your CSP uses a
noncefor script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
- If your CSP does not use
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-b123b8a70+4jEj+d6gWI9U6IilUJIrlnRJbRR/uQl2Jc='), or a nonce ('nonce-...') is required to enable inline execution.We highly discourage the use of
unsafe-inlineand instead recommend the use CSP
noncesin script tags which we parse and support in our CDN.