Signed Exchanges (SXG) — Instant Page Loads with Cloudflare
In this tutorial, you'll learn about Signed Exchanges (SXG). We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloudflare Signed Exchanges (SXG) cryptographically sign web pages so that Google Search can prefetch and display them instantly, achieving near-zero perceived load time for search-driven traffic.
What You'll Learn
By the end of this tutorial, you will understand how SXG works at the cryptographic level, how Cloudflare generates and serves signed exchanges, and how to measure the improvement in search-derived traffic load times.
Why It Matters
Signed Exchanges let Google prefetch your pages before the user clicks, Caching them on the user's device. When the user taps your search result, the page loads from the local cache instantly. Cloudflare makes this feature available with zero changes to your origin server.
Real-World Use
Google Search processes billions of queries daily. Pages with SXG load 300-500ms faster for search visitors, which directly improves click-through rates and reduces bounce rates from impatient users.
Your Learning Path
flowchart LR
A[HTTP/2 & HTTP/3] --> B[Signed Exchanges]
B --> C[Prefetch & Preload]
C --> D[Page Rules Intro]
D --> E[Page Rules Caching]
B --> F{You Are Here}
style F fill:#f90,color:#fff
How Signed Exchanges Work
An SXG is an HTTP exchange wrapped in a cryptographic signature. The signature proves that the content was served by the original publisher, allowing Google to cache and display the page as if it came directly from your server.
SXG Flow
sequenceDiagram participant G as Google Crawler participant CF as Cloudflare Edge participant O as Origin Server participant U as User Browser G->>CF: Request /page with Accept: application/signed-exchange CF->>O: Fetch content O-->>CF: HTTP response CF->>CF: Sign exchange with origin private key CF-->>G: application/signed-exchange;v=b3 G->>G: Validate signature, cache signed exchange U->>G: Click search result G-->>U: Serve cached SXG from local storage Note over U: Page loads instantly from cache
Enabling SXG in Cloudflare
- Log in to the Cloudflare dashboard.
- Select your domain.
- Go to Speed > Optimization > Signed Exchanges.
- Toggle Signed Exchanges to On.
- Cloudflare generates a certificate signing request (CSR) and submits it to Google's SXG CA. The CA must issue a certificate before SXG becomes active.
# Verify SXG is active
curl -H "Accept: application/signed-exchange;v=b3" -I https://yourdomain.com/
# Expected output includes Content-Type header
# HTTP/2 200
# content-type: application/signed-exchange;v=b3
# x-cloudflare-signed-exchange: ok
Content Restrictions
SXG has restrictions on what content can be signed. Dynamic content, pages with cookies, and pages with certain headers are excluded.
# Cloudflare will not sign exchanges if the response includes:
# Set-Cookie, Cache-Control: private, or Vary: Cookie
# Ensure cacheable responses for SXG eligibility
location / {
add_header Cache-Control "public, max-age=3600";
}
# Fine-tune SXG pass-through
location /dashboard/ {
add_header Cache-Control "private"; # Disables SXG for this path
}
Measuring SXG Performance
// Monitor SXG delivery using Navigation Timing API
window.addEventListener('load', () => {
const nav = performance.getEntriesByType('navigation')[0];
console.log('Page loaded from:', nav.type); // 'navigate' or 'back_forward'
console.log('Transfer size:', nav.transferSize, 'bytes');
// If transferSize is 0, the page was served from the prefetch cache (SXG)
if (nav.transferSize === 0) {
console.log('Page was likely served via Signed Exchange prefetch');
}
});
// Expected output for SXG-served pages:
// Page loaded from: navigate
// Transfer size: 0 bytes
// Page was likely served via Signed Exchange prefetch
Common Errors
SXG certificate not issued. Google's SXG CA requires domain validation. Ensure your DNS records are correct and the domain is properly verified in Cloudflare.
Mixed content in SXG pages. All subresources referenced in a signed exchange must be served over HTTPS. Any HTTP subresource causes validation failure.
SXG excluded for logged-in content. Pages with authentication cookies are excluded because they cannot be publicly cached. SXG only applies to public, cacheable pages.
SXG not working for subdomains. The signed exchange certificate covers the exact domain. Verify that the domain in your Cloudflare dashboard matches the search-visible domain.
Google not prefetching SXG. Google uses several signals to decide whether to prefetch a signed exchange. High-authority pages with good Core Web Vitals are prioritized.
Practice Questions
- What cryptographic property does a Signed Exchange provide to Google Search?
- Why are pages with Set-Cookie headers excluded from SXG signing?
- How can you detect whether a page was served via SXG prefetch using browser APIs?
Challenge
Enable SXG on a test domain with cacheable content. Use curl to validate the signed exchange structure. Decompress the SXG payload and inspect the inner HTTP exchange.
Real-World Task
Identify your top 10 landing pages from Google Search traffic. Verify they are cacheable and eligible for SXG. Enable the feature and monitor the change in bounce rate and Time to First Byte.
FAQ
Related Tutorials
- Early Hints — Combine instant prefetching with preloaded subresources
- Prefetch & Preload — Broader predictive loading strategies for SXG pages
- Page Rules Caching — Ensure cacheable responses for SXG eligibility
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro