/cdn-cgi/ endpoint
When you add a domain to Cloudflare, Cloudflare adds a /cdn-cgi/ endpoint (www.example.com/cdn-cgi/) to that domain.
This endpoint is managed and served by Cloudflare. It cannot be modified or customized. The endpoint is not used by every Cloudflare product, but you may find some products use the endpoint in its URL.
A few examples include (but are not limited to):
- Identify the Cloudflare data center serving your request, which is helpful for troubleshooting (
https://<YOUR_DOMAIN>/cdn-cgi/trace). - JavaScript detection used by Cloudflare bot products (
example.com/cdn-cgi/challenge-platform/) - Image transformations in the new URLs you would use for images (
example.com/cdn-cgi/image/) - Email address obfuscation used to hide email addresses from malicious bots (
example.com/cdn-cgi/l/email-protection) - Web analytics for a website proxied through Cloudflare (
example.com/cdn-cgi/rum). This endpoint returns a204HTTP status code. - Speed Brain adds an HTTP header called
Speculation-Rulesto web page responses. This header contains a URL that hosts an opinionated Speculation-Rules configuration, which instructs the browser to initiate prefetch requests for anticipated future navigations.
Some scanners may display an error because certain /cdn-cgi/ endpoints do not have an HSTS setting applied to it or for similar reasons. Because the endpoint is managed by Cloudflare, you can ignore the error and do not need to worry about it.
To prevent scanner errors, omit the /cdn-cgi/ endpoint from your security scans.
/cdn-cgi/ also can cause issues with various web crawlers.
Search engine crawlers can encounter errors when crawling these endpoints and — though these errors do not impact site rankings — they may surface in your webmaster dashboard.
SEO and other web crawlers may also mistakenly crawl these endpoints, thinking that they are part of your site’s content.
As a best practice, update your robots.txt file to include Disallow: /cdn-cgi/.