CF alters Yandex verification file even though Web Analytics is off

I have been using Google Search Console and Yandex Webmaster Tools for my site for years without a hitch (including more than 2 months under CF). Google- and Yandex-supplied HTML files are used for the site verification. Today I received a message from Yandex saying that my site verification has been reset and I need to re-verify my ownership of the site. The Yandex file is in its place and its content is correct. When I open the file from my Chrome browser I see the correct content. But here’s what Yandex bot sees when it opens the file according to Yandex:

## Response "" → Yandex.Webmaster bot

|HTTP status code|200 OK|
|Server response time|78 ms|
|IP address||
|Encoding|UTF-8(unicode-1-1-utf-8, UTF8)|
|Page size|571 B|

* Date: Sun, 04 Apr 2021 06:30:09 GMT
* Content-Type: text/html
* Transfer-Encoding: chunked
* Connection: keep-alive
* Set-Cookie: __cfduid=d0531ac3745222ace74718543f16039051617517809; expires=Tue, 04-May-21 06:30:09 GMT; path=/;; HttpOnly; SameSite=Lax; Secure
* X-Content-Type-Options: nosniff
* Last-Modified: Wed, 27 Feb 2019 16:22:56 GMT
* Cache-Control: max-age=7776000
* Expires: Sat, 03 Jul 2021 06:30:09 GMT
* Vary: Accept-Encoding,User-Agent
* CF-Cache-Status: DYNAMIC
* cf-request-id: 093d2c2866000076a9e50be000000001
* Expect-CT: max-age=604800, report-uri=""
* Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/\/report?s=1pTQ7JgrT%2Bs4P2jqovaNduCtZkIl%2BpLF1B8eYFi73UlDQu8J90f3Ul4nB%2BFLWecU6OTvL7%2Fq5quDBeHebqc9B34mmixLqj85Ru4SSWv%2BuHtzuw%3D%3D"}]}
* NEL: {"report_to":"cf-nel","max_age":604800}
* Server: cloudflare
* CF-RAY: 63a87c870bc076a9-DME
* Content-Encoding: gzip
* alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

Page content

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <script async src='/cdn-cgi/bm/cv/6**********7/api.js'>
    Verification: b**************4
    <script type="text/javascript">

The two scripts are clearly added by CF even though Web Analytics and Browser Insights have always been off. Yandex won’t recognize the botched file as correct. There are no special page rules for Yandex bot (it indexes everything with no problem). What’s going on?

PS Just in case, here’s the unbotched yandex file:

        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <body>Verification: b*********************4</body>

PPS What else might be important: I have Bot Fight Mode on (since forever) and a have a Firewall Rule to block any known bots but those I explicitly allow (those include Google and Yandex AS’s):
( and not ip.geoip.asnum in {15169 13238 7941 43037 14618 32934 132892} and http.request.uri.path ne "/robots.txt")

That’s a Bot Management script. I don’t know why it’s suddenly creating a problem.

1 Like

The “suddenly” part could theoretically be explained by Yandex probably not checking existing site verifications every day but, say, once in a few months. So theoretically it could be that the problem existed since day one on CF but Yandex simply didn’t notice it until now.

But what I don’t understand is that I usually see it in my Firewall logs when a request triggers Bot Fight mode. In this case there is no record in the Firewall log with that timestamp and that URL…

PS It’s probably worth mentioning that I switched my Yandex verification mode to meta tag and regained control of my Yandex console so there’s no urgency any more but I still would like to understand what’s going on.

Aha, so I’m not the first to have exact same problem with Yandex verification: Strange code showing on my site - #5 by user5303
As soon as I entered the script name in the search box I got a lot of hits. Seems like no one knows (or cares to explain) exactly why it’s happening and/or why it comes and goes. Oh well, another mystery to live with… :wink:

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.