Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
cdnjs is a free, open source content delivery network operated by Cloudflare that hosts more than four thousand JavaScript and CSS libraries, including jQuery, Bootstrap, Font Awesome, lodash, Moment.js, popper.js and many others. Developers reach it through cdnjs.cloudflare.com and get the file from the nearest Cloudflare edge. cdnjs itself does not set marketing cookies, but the underlying Cloudflare network can set the __cf_bm bot management cookie and logs every HTTP request, which raises the same GDPR questions as any other US CDN.
cdnjs is a free, open source content delivery network maintained by Cloudflare that hosts more than four thousand JavaScript and CSS libraries. Developers paste a URL such as https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js into a script tag and Cloudflare serves the file from its global anycast edge. cdnjs is widely used for jQuery, Bootstrap, Font Awesome, lodash, Moment.js, anime.js, popper.js, Chart.js, Highlight.js and many more.
cdnjs itself does not deploy analytics or marketing cookies. The underlying Cloudflare network can set the __cf_bm bot management cookie (30 minutes) on the cdnjs.cloudflare.com domain when it detects suspicious traffic. Every HTTP request is logged for cache statistics and abuse prevention, including the visitor IP, User-Agent header, requested URL and Referer header.
Article 5(3) ePrivacy applies because __cf_bm, even if classified as bot protection, is stored on the user device. Cloudflare argues that __cf_bm is strictly necessary, but several European supervisory authorities prefer informed consent. The transmission of the visitor IP to a US controlled provider also triggers GDPR rules on transfer and lawful basis.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cloudflare Inc. is a US company subject to the CLOUD Act and FISA 702. It is certified under the EU-US Data Privacy Framework, which provides an adequacy basis for transfers to the United States. Cloudflare signs Standard Contractual Clauses in its enterprise DPA and has launched a Data Localization Suite that pins logs to EU regions for paying customers; cdnjs as a free service does not benefit from that suite.
Legitimate interest under Article 6(1)(f) GDPR is defensible for loading essential libraries, but the Bonn Google Fonts ruling and similar decisions suggest that prior opt-in consent is the safer route when the CDN is in a third country. Self-hosting on the website origin or on an EU CDN such as Bunny CDN, Scaleway Edge or jsDelivr Europe Edge eliminates the question.
Inventory every cdnjs URL referenced in the codebase, decide whether each library is critical for the first render or can be lazy loaded, download the matching versions and host them on your own origin or an EU CDN, add Subresource Integrity hashes to keep the security guarantee, and mention Cloudflare in the privacy notice if cdnjs is still used. Where cdnjs is kept, integrate the script tags into the Consent Management Platform so they only fire after opt-in.
Websites using cdnjs must obtain user consent under GDPR regulations.
DPIA considerations
A standalone DPIA is rarely required for cdnjs. A transfer impact assessment focused on Cloudflare Inc. is recommended, covering the EU-US Data Privacy Framework certification, IP logging, retention of edge logs and the supplementary measures applied by Cloudflare. When several libraries are loaded from cdnjs in production, the assessment is best embedded in a wider review of third party JavaScript.
Sample consent text
This website loads some JavaScript and CSS libraries from cdnjs, a content delivery network operated by Cloudflare Inc. When your browser fetches a file, your IP address, User-Agent and the requested URL are processed by Cloudflare under the EU-US Data Privacy Framework. By clicking Accept, you authorise this technical request. You can also Reject and we will serve the libraries from our own EU server.
Third-party domains contacted
cdnjs.cloudflare.comcdnjs.comcloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | HTTP cookie | 30 minutes | Cloudflare bot management cookie set on cdnjs.cloudflare.com when suspicious traffic is detected. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
cdnjs itself does not set marketing or analytics cookies. The underlying Cloudflare network can set __cf_bm (30 minutes) on cdnjs.cloudflare.com for bot management. Server side logs capture IP, User-Agent, requested URL and Referer.
Best practice for European websites is to gather opt-in consent before loading any third party script from cdnjs, especially in jurisdictions following the Bonn Regional Court approach. Self-hosting is the simplest alternative.
Legitimate interest under Article 6(1)(f) GDPR can be argued for fetching essential libraries. Consent under Article 6(1)(a) is the safer route, particularly in Germany and France, and is required if __cf_bm is treated as non strictly necessary.
Yes. Cloudflare Inc. is US controlled and certified under the EU-US Data Privacy Framework. Edge logs may be replicated to US datacentres. Self-hosting on an EU origin or an EU CDN avoids the transfer.
A standalone DPIA is rarely needed. A transfer impact assessment on Cloudflare Inc. is recommended, embedded in a broader review of third party JavaScript if many libraries are loaded.
Inventory the cdnjs URLs, self-host the libraries on your own origin or an EU CDN, add Subresource Integrity hashes and a Content Security Policy. If cdnjs is retained, integrate the script tags into the Consent Management Platform.
Self-hosting is the simplest. EU alternatives include Bunny CDN, Scaleway Edge and jsDelivr Europe Edge. Many libraries also ship via npm and can be bundled directly into the application.
List Cloudflare Inc. as a sub-processor, describe the __cf_bm cookie and its purpose, mention the IP logging for every request, the EU-US Data Privacy Framework certification and link to the Cloudflare privacy policy.