Replace insecure JS libraries
This feature, when turned on, automatically rewrites URLs to external JavaScript libraries to point to Cloudflare-hosted libraries instead. This change improves security and performance, and reduces the risk of malicious code being injected.
This rewrite operation currently supports the polyfill JavaScript library hosted in polyfill.io.
When turned on, Cloudflare will check HTTP(S) proxied traffic for script tags with an src attribute pointing to a potentially insecure service and replace the src value with the equivalent link hosted under cdnjs ↗.
The rewritten URL will keep the original URL scheme (http:// or https://).
For polyfill.io URL rewrites, all 3.* versions of the polyfill library are supported under the /v3 path. Additionally, the /v2 path is also supported. If an unknown version is requested under the /v3 path, Cloudflare will rewrite the URL to use the latest 3.* version of the library (currently 3.111.0).
The feature is available in all Cloudflare plans, and is turned on by default on Free plans.
- Log in to the Cloudflare dashboard ↗ and select your account and zone.
- Go to Security > Settings.
- Turn Replace insecure JavaScript libraries on or off.
Issue a PATCH request similar to the following:
curl --request PATCH \"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/replace_insecure_js" \--header "Authorization: Bearer <API_TOKEN>" \--header "Content-Type: application/json" \--data '{ "value": "on" }'Since pages.dev zones are on a Free plan, the Replace insecure JavaScript libraries feature is turned on by default on these zones and it is not possible to turn it off.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark