Cloudflare Docs

Cloudflare Fundamentals

Cloudflare Docs

Cloudflare Fundamentals

Overview
New? Start here.
Get started guide
Concepts
What is Cloudflare?
How Cloudflare works
Cloudflare IP addresses
Accounts, zones, and profiles
Cloudflare challenges
Network Layers
Reference architectures
Setup
Add a site
Minimize downtime
Allow Cloudflare IP addresses
Basic tasks
Find zone and account IDs
Manage domains
Move a domain between Cloudflare accounts
Remove a domain
Redirect one domain to another
Pause Cloudflare
Report abuse
Review abuse policies
Complaint types
Providing specific URLs
Submit report
Manage subdomains
Interacting with Cloudflare
Access Cloudflare resources
Access compliance documentation
Test speed
Use Cloudflare without changing nameservers
Solution guides
Improve SEO
Protect your origin server
Free
Pro
Business
Enterprise
Secure your website
Optimize site speed
Prevent DDoS attacks
Reference
/cdn-cgi/ endpoint
Cloudflare and Google Analytics
Cloudflare Cookies
Cloudflare Ray ID
Content Security Policies (CSPs)
HTTP request headers
Network ports
When does Cloudflare crawl my site?
Account and billing
Log into Cloudflare
Account setup
Create account
Verify email address
Create billing profile
Customize account
Account name
Appearance
Communication preferences
Language preference
Members
Manage
Roles
Role scopes
Account security
Set up 2FA
Review audit logs
Allow Cloudflare access
Manage active sessions
Secure compromised account
Zone holds
Account maintenance
Change password or email
Cancel Cloudflare subscriptions
Change domain plan
Delete your Cloudflare account
Update billing information
Understand Cloudflare invoices
Change Super Administrator
Non-contract services
Cloudflare's API
Get started
Create API token
Get Global API key (legacy)
Get Origin CA keys
How to
Make API calls
Create tokens via API
Control API Access
Restrict tokens
Roll tokens
Reference
Limits
API token permissions
API token templates
API deprecations
Troubleshooting
Cloudflare's data products
About Cloudflare Analytics
Types of analytics
Analytics integrations
Datadog
Elastic
Google Cloud
Graylog
Looker
New Relic
Splunk
Sumo Logic
Customizations
Building custom views
Cloudflare Notifications
Notification History
Available Notifications
Create a Notification
Configure PagerDuty
Configure webhooks
Edit a Notification
Edit PagerDuty
Edit webhooks
API reference
Global configurations
Lists
IP Lists
Bulk Redirect Lists
Create in the dashboard
Use lists in expressions
Lists API
JSON object
Endpoints
Security
Challenge Passage
Network
0-RTT Connection Resumption
Partners
Speed
Rocket Loader
Enable
Ignore JavaScripts
Signed exchanges
Enable SXGs
SXGs caveats
Reference
Speed test
Run Speed test
Understand test results
FAQ
AMP Real URL
Enable AMP Real URL
Reference
Prefetch URLs
Aggregated Internet Measurement
The Internet
Glossary

Content Security Policies (CSPs) and Cloudflare

A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:

Content/code injection
Cross-site scripting (XSS)
Embedding malicious resources
Malicious iframes (clickjacking)

To learn more about configuring a CSP in general, refer to the Mozilla documentation.

Using a CSP with Cloudflare

Cloudflare’s CDN is compatible with CSP.

Cloudflare does not:

Modify CSP headers from the origin web server.
Require changes to acceptable sources for first or third-party content.
Modify URLs (besides adding the /cdn-cgi/ endpoint).
Interfere with locations specified in your CSP.

Product requirements

To use certain Cloudflare features, however, you may need to update the headers in your CSP:

Feature(s)	Updated headers
Rocket Loader, Mirage	`script-src 'self' ajax.cloudflare.com;`
Cloudflare Apps, Scrape Shield	`script-src 'self' 'unsafe-inline'`
Web Analytics	`script-src static.cloudflareinsights.com; connect-src cloudflareinsights.com`
Bot products	Refer to JavaScript detections and CSPs.
Page Shield	Refer to Page Shield CSP Header format.
Zaraz	No updates required ( details).
Turnstile	Refer to Turnstile FAQ.