How to remove cdn-cgi script from HTML

I have several pages which are marked by Google Search Console as “hacked: content injection”. All these pages have in common, that a script block is injected by the CDN between the last meta-tag and the style-tag:
<script src="/cdn-cgi/apps/head/7TO-6oRUHDBi0-rBBsJ0RFThyNk.js"></script>

The script url is answered with status 404.

So, I wonder what this is and how I can disable it.
What I already tried / ensured:

  • Rocket Load was never enabled
  • Mirage is disabled since ~ 30 minutes
  • Email Address Obfuscation is disabled since some weeks
  • Browser Insights are disabled since some months
  • The only enabled App is “Logflare” (which passes access-log-like data to their service, no need to inject JS here. Their source code at also doesn’t look like they are doing anything with response body manipulation)
  • Purged one of the affected URLs multiple times, waited some minutes

What do I need to configure to remove this script tag from all pages?

This has come up before. Sometimes an app leaves leftover code in your site. Open a ticket so Support can track it down.

To contact Cloudflare Customer Support, login & go to and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.

1 Like

Thank you for your response, I’ve created the ticket.

1 Like

After having written a bit back and forth it boiled down to this answer:

This is part of the code required to run this app, as mentioned by my colleague this cannot be removed unless you uninstall the app.

I still believe, that the script is only associated with Cloudflare and not used at.

However, as the code for the Logflare Cloudflare App is open source, it’s possible to create a worker script with the same code as the app and avoid the script to be injected.

I totally missed the part about the Logflare app. That makes sense, then.

This topic was automatically closed after 30 days. New replies are no longer allowed.