Testing Server Side Excludes

I’m trying to test Server Side Excludes, but I must be missing something. How do I test that it’s working, as I’m not “bad” enough to trigger the exclude?

Maybe there’s a specific user agent or additional request header I can set to trigger the different “bad” responses?

Sure I can’t be the only one interested in seeing if these actually work?

I’ve tried using the User Agent “sqlmap” and my server blocks this and returns 403 anyway, so that’s no good. I’m guessing if I try long enough I’ll find a dodgy User Agent string that Cloudflare doesn’t like but Krystal (my host) don’t mind, but surely there’s an easier way that guessing?

Hi @riklewis,

My guess is that what Cloudflare considers “suspicious visitors” is based on IP address reputation, not user agent. I’m not sure how you could test this, but I’d suggest you try a Tor connection or perhaps try different online proxy services to visit your site, as some of their IP are likely to have a current bad reputation, and try to see if SSE is working.

https://support.cloudflare.com/hc/en-us/articles/200170036-What-does-Server-Side-Excludes-SSE-do-

I think it’ll be based on a number of factors, I just assumed they would have a relatively straightforward way of testing it themselves.

IP is probably a big factor, you’re right. I’ve tried Tor and that wasn’t a problem, they even have their own Tor infrastructure so I wasn’t too surprised by that. I could try to find some dodgy proxies, but is that really the only way?

I have a support ticket as well, but so far I’ve had a generic response pointing me to an FAQ page which is only loosely connected and not helpful. Hopefully the next person actually reads the ticket before responding.

I don’t think Server-Side Excludes work at all

I’ve tried accessing my site through some really dodgy looking free proxy services and none of them have triggered the functionality.

No joy yet, tried several but not found one that triggers the functionality.

Looks like the same question has been asked by the community before…

https://community.cloudflare.com/t/server-side-excludes-sse-and-cache-eveything/1381/4

I’m getting some really bad scripted responses from the support ticket at the moment, can only hope that improves if I keep asking the question over and over.

I’ve created a test page here, in case anyone is interested…

https://www.riklewis.com/good-or-bad/

Looks like this topic will be closed today, without a solution

Thanks for responding though @cbrandt

Fixed Will now close based on the last reply, rather than a specific date.

Thanks @domjh

Any idea on testing SSE whilst you’re here?

No problem, I hope you get it sorted!

I’m afraid not! It is not something I currently use!

With the support ticket, you shouldn’t get too many autoresponses, if you reply to them, you should get a real person! If you post the ticket number here, maybe one of the mods will have a look for you

Thanks. The support ticket is #1736366.

Flagged for mod attention

Please do update us if you get a useful reply on the ticket, as you won’t be the only one asking the question!

There’s one <!--sse--> tag that is missing the ! on your test page. Also, if I got it right, this should be an opening tag, but then it has a misplaced /.

image.png712×141 10.4 KB

Thank you, I’ve fixed this now. Still not sure how to get the “bad actor” message to display though…

Hi @riklewis,

Just found this:

How do I know if Server-side Excludes are working?

You may not see conditional comments in your content when served by Cloudflare. Certain Cloudflare features like HTML minification will remove the conditional comments. This indicates that Server-side Excludes are functioning properly. You will always be able to see your conditional comments in the HTML source on your origin.

Note: Server-side Excludes are only applied to content with a MIME type of text/html or application/xhtml+xml .

Like I say, it is not something I use, so not sure entirely what it means in practical terms, but it may help you?

Thanks @domjh

Ironically, the second response on the support ticket was that I needed to switch off HTML Minification for it to work

I did reply back and say that I thought that was inaccurate though, based on the information in the FAQ which states that it would work with HTML Minification because both happen on the fly…

https://support.cloudflare.com/hc/en-us/articles/200170036-What-does-Server-Side-Excludes-SSE-do-

I’ve not had a third response yet though.

Where did you get information you found? Do you have a link?

My content is definitely the right mime type (text/html). And I think when the HTML Minification was on the tags were removed, so that’s a good sign. But I’d still really like to be able to see what my page looks like to “bad actors”.

That was under the ‘help’ option in the dashboard:

image1044×697 29.6 KB

Surprised it is not in the docs anywhere.

That’s fair enough! Hopefully support will get back to you soon! Sorry I couldn’t be of more help.

I definitely read that Help section a few months ago when I first started looking at SSE, but I don’t remember it saying that. Either it’s been updated recently or I’m getting old

No problem, I appreciate the time and effort you’ve given in responding.

I got a first positive… er… negative

I visited the page with a Onion Browser within a Windows 10 Sandbox.

image.png1440×900 77.5 KB