Configuration settings
CSP reporting endpoint
When enabled, Page Shield uses a Content Security Policy (CSP) report-only HTTP header to gather information about all the scripts running on your application.
By default, reports are sent to a Cloudflare-owned endpoint:
https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?<QUERY_STRING>
Enterprise customers with a paid add-on can change the reporting endpoint so that the CSP reports are sent to the same hostname:
<YOUR-HOSTNAME>/cdn-cgi/script-monitor/report?<QUERY_STRING>
Prerequisites for using the same hostname for CSP reports
Using the same hostname for CSP reporting may interfere with other Cloudflare products. Before selecting this option, ensure that your Cloudflare configuration complies with the following:
- No rate limiting rules match the
cdn-cgi/*
URL path - No WAF custom rules match the
cdn-cgi/*
URL path
Configure the reporting endpoint
To configure the CSP reporting endpoint:
- Log in to the Cloudflare dashboard, and select your account and domain.
- Go to Security > Page Shield > Settings.
- Under Reporting endpoint, select Cloudflare-owned endpoint or Same hostname.
- Select Apply settings.
Connection target details
When connection targets are reported to Cloudflare, their URIs can sometimes include sensitive data such as session ID.
By default, Page Shield will only check the domain against malicious threat intelligence feeds. You can choose to let Page Shield use the full URI when analyzing the connections made from your domain’s pages. Any sensitive data present in the URI will be logged in clear text, and any user with access to the connection monitor dashboard will be able to view it.
Configure the connection target details to use
- Log in to the Cloudflare dashboard, and select your account and domain.
- Go to Security > Page Shield > Settings.
- Under Connection target details, select Log host only to analyze only the hostname or Log full URI to use the full URI in Page Shield.
- Select Apply settings.
Turn off Page Shield
When you turn off Page Shield, you lose visibility on the scripts running on your zone, the outbound connections made from pages in your domain, and cookies detected in HTTP traffic.
To turn off Page Shield:
- Log in to the Cloudflare dashboard, and select your account and domain.
- Go to Security > Page Shield > Settings.
- In Disable Page Shield, select Disable.