Cloudflare Server-Side Excludes

Cloudflare has a great little piece of functionality called “Server-Side Excludes”, tucked away on the “Scrape Shield” tab.  The idea is that if you have some information that you’d rather not have a suspicious person (or bot!) seeing, but you don’t want to hide the page from them completely, you can just hide the specific sections that include the information.

This is done using custom tags, like this…

<!--sse-->Hide this part<!--/sse-->

As you can see, these are actually HTML comments, but kind of setup like open and closing HTML tags.

When I was playing about with this, I wanted to setup a good or bad test page (feel free to see which you are by clicking the link) and found it really easy to add the “good actor” part, because I could easily hide the “bad actor” part with the tags, but in order to show the “bad actor” part I had to get a little more creative.  This is because it’s Server-Side Excludes, but there’s no equivalent Server-Side Include to match.  I ended up using javascript to hide and show sections, excluding the javascript using the SSE tags.

I also found it very difficult to test, and both a support desk call and a rather lengthy community forum thread on the subject, found that the only real way to test this is to use Tor and keep changing the circuit until you get an exit node with a bad reputation.  Not exactly foolproof, but gets the job done.  If you want to try this, I’d recommend downloading the Tor Browser, it’s just like using Firefox.

Having done this, I decided to go in depth on this and create a course entitled Setting up Cloudflare – Scrape Shield deep dive which goes through all of the “Scrape Shield” options, including the SSE functionality.  I hope this is useful to others, as I found the documentation a little light on the ground.