Welcome change in rocket loader but

Today I saw rocket loader loading from
https://www.example.com/cdn-cgi/scripts//cloudflare-static/rocket-loader.min.js

Which is a very welcome step. but it is not adhering to the policies set by domain. e.g. I am not using X-Content-Type-Options this header is disabled (origin and on cloudflare both) on my website but this rocket-loader script has this header
X-Content-Type-Options: nosniff
Why?

same it also has this header
X-Frame-Options: DENY

How can I remove these headers?

Hello,

Thanks for noticing the positive change. Cloudflare serves internal scripts under /cdn-cgi/scripts path on the customers domains. It is critical to adhere to the best security practices. This headers allows to restrict potential misusage and are recommended to be served for all the resources Cloudflare manage.

The bottom line, we don’t allow to remove those headers, they are only served for Cloudflare managed scripts, they are safe and won’t break any existing functionality.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.