Replace insecure JavaScript libraries
This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.
This rewrite operation currently supports the polyfill JavaScript library hosted in polyfill.io.
How it works
When turned on, Cloudflare will check HTTP(S) proxied traffic for script tags with an src attribute pointing to a potentially insecure service and replace the src value with the equivalent link hosted under CDNJS.
The rewritten URL will keep the original URL scheme (http:// or https://).
For polyfill.io URL rewrites, all 3.* versions of the polyfill library are supported under the /v3 path. Additionally, the /v2 path is also supported. If an unknown version is requested under the /v3 path, Cloudflare will rewrite the URL to use the latest 3.* version of the library (currently 3.111.0).
Availability
The feature is available in all Cloudflare plans, and is turned on by default on Free plans.
Configure
- Log in to the Cloudflare dashboard and select your account and zone.
- Go to Security > Settings.
- For Replace insecure JavaScript libraries, switch the toggle to On or Off.
Issue a PATCH request similar to the following:
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/replace_insecure_js" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{ "value": "on" }'
Final remarks
Since pages.dev zones are on a Free plan, the Replace insecure JavaScript libraries feature is turned on by default on these zones and it is not possible to turn it off.