Configuration settings

Reporting endpoint

When enabled, client-side security's resource monitoring uses a Content Security Policy (CSP) report-only HTTP header to gather information about all the scripts running on your application.

By default, reports are sent to a Cloudflare-owned endpoint:

https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?<QUERY_STRING>

Enterprise customers with a paid add-on can change the reporting endpoint so that the CSP reports are sent to the same hostname:

<YOUR-HOSTNAME>/cdn-cgi/script-monitor/report?<QUERY_STRING>

Prerequisites for using the same hostname for CSP reports

Using the same hostname for CSP reporting may interfere with other Cloudflare products. Before selecting this option, ensure that your Cloudflare configuration complies with the following:

• No rate limiting rules match the cdn-cgi/* URL path
• No custom rules match the cdn-cgi/* URL path

Configure the reporting endpoint

Note

Only available to Enterprise customers with a paid add-on.

To configure the CSP reporting endpoint:

New dashboard

1. In the Cloudflare dashboard, go to the Security Settings page.

   Go to Settings

2. (Optional) Filter by Client-side abuse.

3. Under Continuous script monitoring > Configurations, select the edit icon next to Reporting endpoint.

4. Select Cloudflare-owned endpoint or Same hostname.

5. Select Save.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.
2. Go to Security > Client-side security > Settings.
3. Under Reporting endpoint, select Cloudflare-owned endpoint or Same hostname.
4. Select Apply settings.

Connection target details

When connection targets are reported to Cloudflare, their URIs can sometimes include sensitive data such as session ID.

By default, client-side security only checks the domain against malicious threat intelligence feeds. You can choose to let Cloudflare use the full URI when analyzing the connections made from your domain's pages. Any sensitive data present in the URI will be logged in clear text, and any user with access to the connection monitor dashboard will be able to view it.

Configure the connection target details to use

New dashboard

1. In the Cloudflare dashboard, go to the Security Settings page.

   Go to Settings

2. (Optional) Filter by Client-side abuse.

3. Under Continuous script monitoring > Configurations, select the edit icon next to Data processing.

4. Select Log host only to analyze only the hostname or Log full URI to use the full URI.

5. Select Save.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.
2. Go to Security > Client-side security > Settings.
3. Under Connection target details, select Log host only to analyze only the hostname or Log full URI to use the full URI in client-side security.
4. Select Apply settings.

Turn off client-side resource monitoring

When you turn off client-side security's resource monitoring, you lose visibility on the scripts running on your zone, the outbound connections made from pages in your domain, and cookies detected in HTTP traffic.

To turn off client-side resource monitoring:

New dashboard

1. In the Cloudflare dashboard, go to the Security Settings page.

   Go to Settings

2. (Optional) Filter by Client-side abuse.

3. Next to Continuous script monitoring, set the toggle to Off.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.
2. Go to Security > Client-side security > Settings.
3. In Continuous monitoring and alerting, select Disable.

Turning off client-side security's resource monitoring does not turn off content security rules (previously known as policies). To turn off content security rules:

New dashboard

1. In the Cloudflare dashboard, go to the Security rules page.

   Go to Security rules

2. (Optional) Filter by Content security rules.

3. For each rule, select the three dots next to it > Disable.

Old dashboard

1. Go to Security > Client-side security > Rules.
2. For each rule, set the toggle to Off.