Skip to content

PageShieldSettings

Source: src/Cloudflare/PageShield/Settings.ts

The Page Shield configuration of a Cloudflare zone (/zones/{zone_id}/page_shield).

Page Shield monitors the JavaScript and connections loaded by your visitors’ browsers to detect supply-chain attacks (e.g. Magecart). The configuration is a zone singleton — it always exists (default disabled), so this resource never creates or deletes anything physical. Reconcile PUTs the configuration when the observed flags differ from the desired ones; destroy restores the flags the zone had before Alchemy first managed them.

Script/connection monitoring data requires a Business or Enterprise zone plan, but the configuration endpoints themselves accept reads and enabled writes on lower plans. Setting useConnectionUrlPath: true or useCloudflareReportingEndpoint: false on a non-entitled zone fails with the typed NotEntitled error.

Only one PageShieldSettings resource per zone makes sense — two instances managing the same zone would fight over the singleton.

Managing Page Shield

Section titled “Managing Page Shield”

Enable Page Shield on a zone

const zone = yield* Cloudflare.Zone("Site", { name: "example.com" });


yield* Cloudflare.PageShieldSettings("PageShield", {
  zoneId: zone.zoneId,
});

Analyze connection URL paths too

yield* Cloudflare.PageShieldSettings("PageShield", {
  zoneId: zone.zoneId,
  useConnectionUrlPath: true,
});

Report CSP violations to the zone instead of Cloudflare

yield* Cloudflare.PageShieldSettings("PageShield", {
  zoneId: zone.zoneId,
  useCloudflareReportingEndpoint: false,
});