Cloudflare Docs
Page Shield
Cloudflare Docs
Page Shield
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)
  1. Products
  2. Page Shield
  3. Troubleshooting

Troubleshooting

​​ Why do I not see scripts after I activated Page Shield?

Page Shield does not collect data on every single page view. Instead, it uses a sampling approach to gather information efficiently. This means that domains with lower traffic might take longer to generate initial reports, as these domains need more page views to accumulate enough samples. To speed up the reporting process, it is recommended that you actively generate traffic to your application after activating Page Shield. This will provide Page Shield with more data to work with, leading to faster report generation.

​​ Why do I see scripts that I do not recognize?

Scripts often reference other scripts outside your application.

But, if you see unexpected scripts on your Script Monitor dashboard, check them for signs of malicious activity.

​​ Why do I see warnings in my browser’s developer tools related to Content Security Policy (CSP)?

Page Shield uses a Content Security Policy (CSP) report-only directive to gather a list of all scripts running on your application.

Some browsers display scripts being reported as warnings in the console pane of their developer tools. For example:

[Report Only] Refused to execute inline script because it violates
the following Content Security Policy directive: "script-src 'none'".


Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...')
is required to enable inline execution.

You can safely ignore these warnings, since they are related to the reports that Page Shield requires to detect loaded scripts. For more information, refer to How Page Shield works.

​​ Why do I get policy violation reports for a domain I allowlisted?

Policy violations reported via CSP’s report-only directive do not take into consideration any redirects or redirect HTTP status codes. This is by design for security reasons.

Some third-party services you may want to cover in your Page Shield allow policies perform redirects. An example of such a service is Google Ads, which does not work well with CSP policies.

For example, if you add the adservice.google.com domain to an allow policy, you could get policy violation reports for this domain due to redirects to a different domain (not present in your allow policy). In this case, the violation report would still mention the original domain, and not the domain of the redirected destination, which can cause some confusion.

To try to solve this issue, add the domain of the redirected destination to your allow policy. You may need to add several domains to your policy due to redirects.

​​ Do I have access to Page Shield?

Some customers do. For more details, refer to Availability.

​​ How do I set up Page Shield?

For help setting up Page Shield, refer to our get started guide.