Cloudflare Docs
WAF
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Replace insecure JavaScript libraries

This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.

This rewrite operation currently supports the polyfill JavaScript library hosted in polyfill.io.

​​ How it works

When turned on, Cloudflare will check HTTP(S) proxied traffic for script tags with an src attribute pointing to a potentially insecure service and replace the src value with the equivalent link hosted under CDNJS.

The rewritten URL will keep the original URL scheme (http:// or https://).

For polyfill.io URL rewrites, all 3.* versions of the polyfill library are supported under the /v3 path. Additionally, the /v2 path is also supported. If an unknown version is requested under the /v3 path, Cloudflare will rewrite the URL to use the latest 3.* version of the library (currently 3.111.0).

​​ Availability

The feature is available in all Cloudflare plans, and is turned on by default on Free plans.


​​ Configure

  1. Log in to the Cloudflare dashboard and select your account and zone.
  2. Go to Security > Settings.
  3. For Replace insecure JavaScript libraries, switch the toggle to On or Off.

Issue a PATCH request similar to the following:

curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/replace_insecure_js" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{ "value": "on" }'