GDPR and security issue with cloud flare analytics

After activating the Cloudflare analytics I run gdpr compliance test on this website: https://2gdpr.com

and it show this error : Third-party resources must be downloaded via HTTPS, but if this is not possible, their use is unsafe.

so seems like it is not safe to use Cloudflare analytics is there anything I can do to fix this a screenshot is attached

I am not aware hot this tool works.

Is your website working over HTTP or HTTPS while you are using Cloudflare? :thinking:

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

For http://cloudflareinsights.com/ there is a 301 redirection to HTTPS if that’s the case.

I can see only HTTPS requests for my website and to cloudflareinsights domain made from my Web browser.

strict

it is using https: since many days

I tested multiple sites and it show the same issues but only those which have Cloudflare analytics turned on

I see no issues at all for Cloudflare domains so far:

Maybe those websites are missing “cookie banner” or something like that, which could be the reason why you got that message showing on that particular online “GDPR” testing tool :thinking:

1 Like

if there is a cookie issue it will show in the cookie section as you can see with the test for cloudflare pages here

Also the script for Cloudflare website is way different then what they inject in other websites for comparison this what cloudflare.com have on there own website:

<script defer="" src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon="{&quot;rayId&quot;:&quot;6e1a41cf5d916f41&quot;,&quot;token&quot;:&quot;6f9a2202213848f5bff934592489e351&quot;,&quot;version&quot;:&quot;2021.12.0&quot;,&quot;si&quot;:100}" crossorigin="anonymous"></script>

but the script they add in to the website hosted with them looks like this:

<script defer="" src="https://static.cloudflareinsights.com/beacon.min.js" data-cf-beacon="{&quot;token&quot;: &quot;--------token here----------&quot;}"></script>

So, seems like there are some differences here as you can see

thanks

I do not think I have any control over the script code Cloudflare injects on the website as it seems to be automatic

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Hello, has this problem been resolved? I see the same issue on all websites using Cloudflare Analytics. Why is Cloudflare not using https? I am thinking of stopping using Cloudflare Analytics as it is not reliable or secure. You can test any website on this GDPR compliance check website to verify: https://2gdpr.com

Thanks

Do you have an example of a website where cloudflareinsights.com is being loaded over HTTP?

This is much more likely to be related to your zone’s settings than anything else, since it’s perfectly fine on all of my sites.

yes but cannot share the link here it is client website have NDA. if you have any open website hosted on Cloudflare pages using Cloudflare analytics you can run the test on https://2gdpr.com to see the results.

That’s my point - I’ve tried several and I have no issues.

ok i will try to find a url i can share to demonstrate the issue

It’s more likely that your zone doesn’t have https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites/ enabled in most cases - that’ll check if it’s available over https:// (which it is) and rewrite any occurances of http:// for that host.

I’m using Cloudflare https: and a tight https policy; this is a Cloudflare script that has nothing to do with me because the js snippet is in their possession. thanks

So you have Automatic HTTPS Rewrites enabled on that zone?

yes it is