Supported image formats and limitations
You can upload the following image formats to Cloudflare Images:
- WebP (Cloudflare Images does not support uploading animated WebP files)
Dimensions and sizes
These are the maximum allowed sizes and dimensions Cloudflare Images supports:
- Maximum image dimension is 12,000 pixels.
- Maximum image area is limited to 100 megapixels (for example, 10,000×10,000 pixels).
- Image metadata is limited to 1024 bytes.
- Images have a 10 megabyte (MB) size limit.
- Animated GIFs, including all frames, are limited to 50 megapixels (MP).
As such, Cloudflare Images variants cannot be used to resize SVG files. Variants, named or flexible, are intended to transform bitmap (raster) images into whatever size you want to serve them.
You can, nevertheless, use variants to serve SVGs, using any named variant as a placeholder to allow your image to be delivered. For example:
Cloudflare recommends you use named variants with SVG files. If you use flexible variants, all your parameters will be ignored. In either case, Cloudflare applies SVG sanitizing to your files.
You can also use Image Resizing to sanitize SVG files stored in your origin. However, as stated above, Image Resizing will ignore all transform parameters, as Cloudflare does not resize SVGs.
Cloudflare sanitizes SVG files with
svg-hush filters SVGs and removes any potential risky features, such as:
- Scripting: Prevents SVG files from being used for cross-site scripting attacks. Although browsers do not allow scripts in the
<img>tag, they do allow scripting when SVG files are opened directly as a top-level document.
- Hyperlinks to other documents: Makes SVG files less attractive for SEO spam and phishing.
- References to cross-origin resources: Stops third parties from tracking who is viewing the image.
SVG files can also contain embedded images in other formats, like JPEG and PNG, in the form of . Cloudflare treats these embedded images just like other images that we process, and optimizes them too. Cloudflare does not support SVG files embedded in SVG recursively, though.
Cloudflare still uses Content Security Policy (CSP) headers to disable unwanted features, but filtering acts as a defense-in-depth in case these headers are lost (for instance, if the image was saved as a file and served elsewhere).
svg-hush is open-source. It is written in Rust and can filter SVG files in a streaming fashion without buffering, so it is fast enough for filtering on the fly.