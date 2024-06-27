Replace insecure JavaScript libraries
This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.
This rewrite operation currently supports the
polyfill JavaScript library hosted in
polyfill.io.
How it works
When turned on, Cloudflare will check HTTP(S) proxied traffic for
script tags with an
src attribute pointing to a potentially insecure service and replace the
src value with the equivalent link hosted under CDNJS.
The rewritten URL will keep the original URL scheme (
http:// or
https://).
For
polyfill.io URL rewrites, all
3.* versions of the
polyfill library are supported under the
/v3 path. Additionally, the
/v2 path is also supported. If an unknown version is requested under the
/v3 path, Cloudflare will rewrite the URL to use the latest
3.* version of the library (currently
3.111.0).
Availability
The feature is available in all Cloudflare plans, and is turned on by default on Free plans.
Configure
- Log in to the Cloudflare dashboard and select your account and zone.
- Go to Security > Settings.
- For Replace insecure JavaScript libraries, switch the toggle to On or Off.
Issue a
PATCH request similar to the following:
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/replace_insecure_js" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{ "value": "on" }'