Cloudflare Docs
WAF
Cloudflare Docs
WAF
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)
  1. Products
  2. WAF
  3. Additional tools
  4. Replace insecure JS libraries

Replace insecure JavaScript libraries

This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.

This rewrite operation currently supports the polyfill JavaScript library hosted in polyfill.io.

​​ How it works

When turned on, Cloudflare will check HTTP(S) proxied traffic for script tags with an src attribute pointing to a potentially insecure service and replace the src value with the equivalent link hosted under CDNJS.

The rewritten URL will keep the original URL scheme (http:// or https://).

For polyfill.io URL rewrites, all 3.* versions of the polyfill library are supported under the /v3 path. Additionally, the /v2 path is also supported. If an unknown version is requested under the /v3 path, Cloudflare will rewrite the URL to use the latest 3.* version of the library (currently 3.111.0).

​​ Availability

The feature is available in all Cloudflare plans, and is turned on by default on Free plans.

​​ Configure

  1. Log in to the Cloudflare dashboard and select your account and zone.
  2. Go to Security > Settings.
  3. For Replace insecure JavaScript libraries, switch the toggle to On or Off.

Issue a PATCH request similar to the following:

curl --request PATCH \

"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/replace_insecure_js" \

--header "Authorization: Bearer <API_TOKEN>" \

--header "Content-Type: application/json" \

--data '{ "value": "on" }'