Cloudflare Docs

Cloudflare Fundamentals

Cloudflare Docs

Cloudflare Fundamentals

Overview
Concepts
What is Cloudflare?
How Cloudflare works
Cloudflare IP addresses
Our free plan
Reference architectures
The Internet
How to use Cloudflare
Manage account
Create account
Verify email address
Log into Cloudflare
Manage email notifications
Account security
Allow Cloudflare access
Login and account issues
Manage active sessions
Multi-Factor Email Authentication
Provision with SCIM
Review audit logs
Secure compromised account
Set up SSO
Two-factor authentication
Zone holds
Account customizations
Account name
Appearance
Communication preferences
Language preference
Manage domains
Add a site
Add multiple sites via automation
Change your domain version
Connect your domain
Manage subdomains
Move a domain between Cloudflare accounts
Pause Cloudflare
Redirect one domain to another
Remove a domain
Star websites
Manage members
Manage
Roles
Role scopes
Set up SSO
Accounts, zones, and profiles
Find zone and account IDs
Use Cloudflare without changing nameservers
Troubleshooting
Subscriptions and billing
Create billing profile
Billing Policy
Cancel Cloudflare subscriptions
Change domain plan
Change password or email
Change Super Administrator
Delete your Cloudflare account
Preview services
Troubleshoot failed payments
Understand Cloudflare invoices
Update billing information
Basic tasks
Improve SEO
Interacting with Cloudflare
Maintenance mode
Minimize downtime
Optimize site speed
Prevent DDoS attacks
Protect your origin server
Recovering from a hacked site
Scan for PCI compliance
Secure your website
Test speed
Trace a request
How to
Limitations
Changelog
Under a DDoS attack?
Cloudflare's API
Get started
Create API token
Get Global API key (legacy)
Get Origin CA keys
How to
Make API calls
Create tokens via API
Control API Access
Restrict tokens
Roll tokens
Reference
Limits
API token permissions
API token templates
API deprecations
SDKs
Troubleshooting
Building custom views
Reference
Policies
Cloudflare Cookies
Compliance documentation
Content Security Policies (CSPs)
Incident Management Policy
Project Cybersafe Schools
Report abuse
Review abuse policies
Complaint types
Providing specific URLs
Submit report
/cdn-cgi/ endpoint
Cloudflare and Google Analytics
Cloudflare crawlers
Cloudflare HTTP request headers
Cloudflare Ray ID
Cryptographic Attestation of Personhood
Glossary
Network Layers
Network ports
Partners
Redirects
TCP connections
Under Attack mode

Content Security Policies (CSPs) and Cloudflare

A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:

Content/code injection
Cross-site scripting (XSS)
Embedding malicious resources
Malicious iframes (clickjacking)

To learn more about configuring a CSP in general, refer to the Mozilla documentation.

Using a CSP with Cloudflare

Cloudflare’s CDN is compatible with CSP.

Cloudflare does not:

Modify CSP headers from the origin web server (except when using Zaraz, to ensure the Zaraz script is always running).
Require changes to acceptable sources for first or third-party content.
Modify URLs (besides adding the /cdn-cgi/ endpoint and Cloudflare Fonts that rewrites Google Fonts urls).
Interfere with locations specified in your CSP.

Product requirements

To use certain Cloudflare features, however, you may need to update the headers in your CSP:

Feature(s)	Updated headers
Rocket Loader, Mirage	`script-src 'self' ajax.cloudflare.com;`
Cloudflare Apps, Scrape Shield	`script-src 'self' 'unsafe-inline'`
Web Analytics	`script-src static.cloudflareinsights.com; connect-src cloudflareinsights.com`
Bot products	Refer to JavaScript detections and CSPs.
Page Shield	Refer to Page Shield CSP Header format.
Zaraz	No updates required ( details).
Turnstile	Refer to Turnstile CSP.