This tutorial explains how to disable JS Detections, which can currently only be done via the API to my knowledge.
This is necessary because enabling Bot Fight Mode (BFM) also enables JS Detections (JSD), but disabling BFM does not disable JSD.
This is after disabling BFM, but JSD are still active:
With JSD enabled, Cloudflare injects a script at the end of of the site’s HTML.
</table>
<script>(function() ... </script>
</body></html>
Since the question of how to remove it comes up a lot, this is a small tutorial on how to use the API to disable JSD.
First, you will need to get your account’s API Key and the ZoneID of the domain for which you want to disable JSD. You can find the ZoneID on the bottom right of the linked page.
With this, you can run the following API command (should work in any Linux shell):
curl https://api.cloudflare.com/client/v4/zones/ZONEID/bot_management \
-X PUT \
-H 'Content-Type: application/json' \
-H "X-Auth-Email: EMAIL" \
-H "X-Auth-Key: APIKEY" \
-d '{
"enable_js": false,
"fight_mode": false
}'
Just replace ZONEID, EMAIL and APIKEY with your values. EMAIL is the email address of your Cloudflare login.
After running the command, you should see a confirmation that JSD is now disabled:
{
"result": {
"enable_js": false,
"fight_mode": false,
"ai_bots_protection": "disabled",
"crawler_protection": "disabled",
"is_robots_txt_managed": false,
"cf_robots_variant": "policy_only",
"using_latest_model": true
},
"success": true,
"errors": [],
"messages": []
}
You can also confirm by loading your site and checking for the injected script at the bottom.
</table>
</body></html>
As you can see, the script is no longer injected.
Note that at the time of writing this, the dashboard seems to have a bug and still shows JSD as enabled, even though it is actually disabled.