Replace insecure JS libraries
This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.
This rewrite operation currently supports the polyfill JavaScript library hosted in polyfill.io.
When turned on, Cloudflare will check HTTP(S) proxied traffic for script tags with an src attribute pointing to a potentially insecure service and replace the src value with the equivalent link hosted under cdnjs ↗.
The rewritten URL will keep the original URL scheme (http:// or https://).
For polyfill.io URL rewrites, all 3.* versions of the polyfill library are supported under the /v3 path. Additionally, the /v2 path is also supported. If an unknown version is requested under the /v3 path, Cloudflare will rewrite the URL to use the latest 3.* version of the library (currently 3.111.0).
The feature is available in all Cloudflare plans, and is turned on by default on Free plans.
-
In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings -
Turn Replace insecure JavaScript libraries on or off.
Issue a PATCH request similar to the following:
Required API token permissions
At least one of the following token permissions
is required:
Zone Settings Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/replace_insecure_js" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": "on" }'Since pages.dev zones are on a Free plan, the Replace insecure JavaScript libraries feature is turned on by default on these zones and it is not possible to turn it off.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark