Content security policy on /cdn-cgi/ endpoint

Does anyone know if the missing CSP header on /cdn-cgi/ endpoint is known to Cloudflare?

Its my understanding that this page cannot be modified but just looking for any confirmation on the vulnerability.

Given the page is static and there is no interactable components, the XSS possibility is non-existent. But just wondering

You should ignore all reports from scanners for the /cdn-cgi endpoint. See

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.