Back to all guides
Privacy & Security

We removed all tracking from our website (again)

We promised no tracking. Then we discovered Cloudflare was injecting five JavaScript files into every page. Here is what we found and what we ripped out.

6 min read
Free Guide

We tell you there is no tracking on this site. That is the deal. Your files stay on your device, nothing phones home, no analytics beacons, no cookies. Simple.

Then we ran an audit and found Cloudflare was injecting five JavaScript files into every page we serve.

What we found

We use Cloudflare as our CDN. It is fast, reliable, and has a generous free tier. What we did not realise is that several Cloudflare features are enabled by default or get toggled on when you click through setup wizards without reading the fine print.

Here is what was running on every page:

  1. 1**RUM beacon (beacon.min.js)** - Cloudflare Web Analytics. A real user monitoring script that sends page view data to Cloudflare's servers. We never enabled this deliberately. It appeared after toggling a dashboard setting we thought was server-side only.
  1. 1Rocket Loader - A script that wraps every <script> tag on the page in a custom async loader. Meant to improve performance. In practice, it added a script we did not write and broke execution order on some pages.
  1. 1Speed Brain - Speculative prefetching via injected JavaScript. Our framework already handles prefetching. This added a competing mechanism that served no purpose except adding another script to the page.
  1. 1Cloudflare Fonts - Rewrites Google Fonts references to serve from Cloudflare's edge. Sounds helpful, except it injects JavaScript to do the rewriting. We self-host our fonts. This was doing nothing useful.
  1. 1Email Obfuscation - Injects a decoder script to protect email addresses from scrapers. We do not have email addresses in our HTML. Pure overhead.

On top of those, we found NEL (Network Error Logging) headers in our responses. NEL instructs your browser to send error reports to Cloudflare when connections fail. That is telemetry we never disclosed and never intended.

The Google Fonts leak

While auditing, we also discovered two files that still referenced Google Fonts via external URLs. That means every visitor loading those pages sent their IP address to Google. For a site that promises no third-party requests, that is a direct contradiction.

We replaced both with system font stacks. No external requests, no custom font files to host. The system fonts on your device are good enough.

What we did

We turned off every injected script, HTML-modifying feature, and reporting header that served no purpose for a static site.

  • Rocket Loader: disabled
  • Speed Brain: disabled
  • Cloudflare Fonts: disabled
  • Web Analytics / RUM beacon: disabled
  • NEL: disabled
  • Google Fonts external references: replaced with system font stacks
  • Email Obfuscation: kept on (it injects a small script, but it serves a legitimate purpose protecting email addresses from scraping bots)

We verified by viewing source on every page and searching for cloudflare, rocket-loader, beacon.min.js, and cdn-cgi. Nothing. Clean.

We then wrote a proper privacy policy that documents exactly what we do and do not collect. Server-side edge analytics (computed from Cloudflare logs, no client JavaScript) give us the traffic data we need. Page views, top pages, countries. No user-level tracking. No beacons.

The lesson

If you run a site behind a CDN and you make privacy promises to your users, audit what your CDN injects. Do not assume the defaults are safe. Do not assume you would notice an extra script in your HTML without looking.

Cloudflare is good infrastructure. We still use it. But "good infrastructure" and "respects your privacy promises by default" are not the same thing. You have to configure it deliberately.

We wrote a full technical guide on how to audit and lock down a Cloudflare zone: Zero client-side JavaScript from your CDN.

If you are building privacy-first tools or running a site where trust matters, check your CDN layer. Check your font loading. Check your response headers. The things you did not configure are often the things that break your promises.

Try our tools. Unwrite GPT for cleaning AI text, PDF tools for working with documents. Everything runs in your browser. Nothing phones home. We checked.