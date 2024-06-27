Replace insecure JavaScript libraries

This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.

This rewrite operation currently supports the polyfill JavaScript library hosted in polyfill.io . Warning You may need to update your Content Security Policy (CSP) when turning on Replace insecure JavaScript libraries. The feature, when enabled, will not perform any URL rewrites if a CSP is present with a script-src or default-src directive. Cloudflare will not check report-only directives and it will not modify CSP headers. Additionally, if you are defining a CSP via HTML meta tag, you must either turn off this feature or switch to a CSP defined in an HTTP header.

​​ How it works

When turned on, Cloudflare will check HTTP(S) proxied traffic for script tags with an src attribute pointing to a potentially insecure service and replace the src value with the equivalent link hosted under CDNJS External link icon Open external link .

The rewritten URL will keep the original URL scheme ( http:// or https:// ).

For polyfill.io URL rewrites, all 3.* versions of the polyfill library are supported under the /v3 path. Additionally, the /v2 path is also supported. If an unknown version is requested under the /v3 path, Cloudflare will rewrite the URL to use the latest 3.* version of the library (currently 3.111.0 ).

The feature is available in all Cloudflare plans, and is turned on by default on Free plans.