Why does cloudflare insert javascript and what does it do?

Cloudflare inserts some javascript without my permission:
In <head>
<script async="" src="/cdn-cgi/bm/cv/669835187/api.js"></script>

Below <body>

<script type="text/javascript">(function(){window['__CF$cv$params']={r:'64360e48380f4e97',m:'8e57c1570954f0833244d8311b92c44421aa05bc-1619002272-1800-AbqlADkPzR/BKI40CBgzEhCFZiCBvwTl44k89e0ErdO+JhYlie3IGhJLoCOcxcNbXbQiUhPq6wuAfNJ+2XAKsLP6wylPQgI1JO/WdObiWlK4EAGJClKPGqO5KY+ujphAww==',s:[0x47f70c9c22,0xeb16087225],}})();</script>

I want this GONE, because I do not appreciate unsolicited code injection. How do I remove this?

Did you enable rocket loader?

Bot Management feature is enabled for your domain at Cloudflare dashboard.

1 Like

Uh, did you turn this on?

Based on my experience, this setting will not turn on automatically - unless you are the one who enabled it. This means, you are giving Cloudflare’s permission to inject a small JavaScript code to improve Bot Management products.


I did turn on bot fight mode, but it was not clear that that injects javascript. I thought it was more of a captive portal on cloudflare’s end, the typical “checking your browser before accessing…” page.

Where is the “JavaScript detections” setting? I can’t find it.

Ok, just realized that you are using Free Plan.

Unfortunately, the setting is only available in Pro plan or higher.

Free plans will have this setting turned on automatically.

​JavaScript detections

The JavaScript Detections (JSD) engine identifies headless browsers and other malicious fingerprints. This engine performs a lightweight, invisible JavaScript injection on the client side of any request while honoring our strict privacy standardsOpen external link. We do not collect any personally identifiable information during the process. The JSD engine either blocks, challenges, or passes requests to other engines.

JSD is automatically enabled with Bot Fight Mode.

1 Like

Ah, I see. Well, if it’s just a snippet for bot detection, that’s all right I suppose.

1 Like

checking raw HTTP requests can’t give any accurate nor updated protection against bot/DDoS attacks, javascript collectors/challenges are needed in order to properly classify traffic and determine whether if it’s potentially malicious or not.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.