I have several pages which are marked by Google Search Console as “hacked: content injection”. All these pages have in common, that a script block is injected by the CDN between the last meta-tag and the style-tag:
The script url is answered with status 404.
So, I wonder what this is and how I can disable it.
What I already tried / ensured:
- Rocket Load was never enabled
- Mirage is disabled since ~ 30 minutes
- Email Address Obfuscation is disabled since some weeks
- Browser Insights are disabled since some months
- The only enabled App is “Logflare” (which passes access-log-like data to their service, no need to inject JS here. Their source code at https://github.com/Logflare/cloudflare-app/ also doesn’t look like they are doing anything with response body manipulation)
- Purged one of the affected URLs multiple times, waited some minutes
What do I need to configure to remove this script tag from all pages?