I have several pages which are marked by Google Search Console as “hacked: content injection”. All these pages have in common, that a script block is injected by the CDN between the last meta-tag and the style-tag: <script src="/cdn-cgi/apps/head/7TO-6oRUHDBi0-rBBsJ0RFThyNk.js"></script>
The script url is answered with status 404.
So, I wonder what this is and how I can disable it.
What I already tried / ensured:
Rocket Load was never enabled
Mirage is disabled since ~ 30 minutes
Email Address Obfuscation is disabled since some weeks
Browser Insights are disabled since some months
The only enabled App is “Logflare” (which passes access-log-like data to their service, no need to inject JS here. Their source code at GitHub - Logflare/cloudflare-app: The Cloudflare app for Logflare also doesn’t look like they are doing anything with response body manipulation)
Purged one of the affected URLs multiple times, waited some minutes
What do I need to configure to remove this script tag from all pages?
This has come up before. Sometimes an app leaves leftover code in your site. Open a ticket so Support can track it down.
To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.
After having written a bit back and forth it boiled down to this answer:
This is part of the code required to run this app, as mentioned by my colleague this cannot be removed unless you uninstall the app.
I still believe, that the script is only associated with Cloudflare and not used at.
However, as the code for the Logflare Cloudflare App is open source, it’s possible to create a worker script with the same code as the app and avoid the script to be injected.