I am not able to update widgets in my wordpress website, as I get a “405 Not Allowed” error. Clicking on the browser inspect console link, it shows this in the Application tab: <head><title>405 Not Allowed</title><script src="/cdn-cgi/apps/head/iVEQWCsZSy5UpYlGKYudcFVGwJ8.js"></script></head>
So, apparently, Cloudflare is trying to use the cdn-cgi folder, but can’t write to it. Is that right? The permissions look good for that folder, and I don’t have an issue saving posts. I tried deactivating all plugins and using the default theme, nothing helps. I also tried commenting out CSP headers in Nginx, that didn’t work.
Why is Cloudflare trying to inject a script in this case? How can I solve this issue?
No. cdn-cgi is a virtual path that Cloudflare adds to the HTML when it inserts certain files created on the fly so that the browser fetches the link when handling the page’s subrequests. Nothing pointed to that address is actually written to the origin server. Instead, it’s handled by Cloudflare’s edge servers.
If you got a 405, I’d say the request was passed on to the origin, which responded with a 405 error, to which page Cloudflare added the /cdn-cgi/apps... link.
You shouldn’t need to have such a folder on your origin server, as requests to it will always be intercepted by Cloudflare. If you created a cdn-cgi folder at the origin, its permission levels will be ignored as requests will never actually be sent down to the origin.
It’s probably related to Web Analytics, Rocket Loader or some other Cloudflare feature that depends on it. You shouldn’t worry about that link, as that’s not what is causing the 405. Instead, check your origin server and WordPress installation to try to find what’s behind the 405.
This error is normally related to a method not being allowed for the given URL. So I’d check local firewall logs, and your REST API settings if the file in question has a path starting with /wp-json/.