Skip to content

Signed Exchanges (SXG) — Instant Page Loads with Cloudflare

DodaTech Updated 2026-06-23 5 min read

In this tutorial, you'll learn about Signed Exchanges (SXG). We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Signed Exchanges (SXG) cryptographically sign web pages so that Google Search can prefetch and display them instantly, achieving near-zero perceived load time for search-driven traffic.

What You'll Learn

By the end of this tutorial, you will understand how SXG works at the cryptographic level, how Cloudflare generates and serves signed exchanges, and how to measure the improvement in search-derived traffic load times.

Why It Matters

Signed Exchanges let Google prefetch your pages before the user clicks, Caching them on the user's device. When the user taps your search result, the page loads from the local cache instantly. Cloudflare makes this feature available with zero changes to your origin server.

Real-World Use

Google Search processes billions of queries daily. Pages with SXG load 300-500ms faster for search visitors, which directly improves click-through rates and reduces bounce rates from impatient users.

Your Learning Path

flowchart LR
  A[HTTP/2 & HTTP/3] --> B[Signed Exchanges]
  B --> C[Prefetch & Preload]
  C --> D[Page Rules Intro]
  D --> E[Page Rules Caching]
  B --> F{You Are Here}
  style F fill:#f90,color:#fff

How Signed Exchanges Work

An SXG is an HTTP exchange wrapped in a cryptographic signature. The signature proves that the content was served by the original publisher, allowing Google to cache and display the page as if it came directly from your server.

SXG Flow

sequenceDiagram
  participant G as Google Crawler
  participant CF as Cloudflare Edge
  participant O as Origin Server
  participant U as User Browser

  G->>CF: Request /page with Accept: application/signed-exchange
  CF->>O: Fetch content
  O-->>CF: HTTP response
  CF->>CF: Sign exchange with origin private key
  CF-->>G: application/signed-exchange;v=b3
  G->>G: Validate signature, cache signed exchange
  U->>G: Click search result
  G-->>U: Serve cached SXG from local storage
  Note over U: Page loads instantly from cache

Enabling SXG in Cloudflare

  1. Log in to the Cloudflare dashboard.
  2. Select your domain.
  3. Go to Speed > Optimization > Signed Exchanges.
  4. Toggle Signed Exchanges to On.
  5. Cloudflare generates a certificate signing request (CSR) and submits it to Google's SXG CA. The CA must issue a certificate before SXG becomes active.
# Verify SXG is active
curl -H "Accept: application/signed-exchange;v=b3" -I https://yourdomain.com/

# Expected output includes Content-Type header
# HTTP/2 200
# content-type: application/signed-exchange;v=b3
# x-cloudflare-signed-exchange: ok

Content Restrictions

SXG has restrictions on what content can be signed. Dynamic content, pages with cookies, and pages with certain headers are excluded.

# Cloudflare will not sign exchanges if the response includes:
# Set-Cookie, Cache-Control: private, or Vary: Cookie

# Ensure cacheable responses for SXG eligibility
location / {
  add_header Cache-Control "public, max-age=3600";
}

# Fine-tune SXG pass-through
location /dashboard/ {
  add_header Cache-Control "private";  # Disables SXG for this path
}

Measuring SXG Performance

// Monitor SXG delivery using Navigation Timing API
window.addEventListener('load', () => {
  const nav = performance.getEntriesByType('navigation')[0];
  console.log('Page loaded from:', nav.type);  // 'navigate' or 'back_forward'
  console.log('Transfer size:', nav.transferSize, 'bytes');

  // If transferSize is 0, the page was served from the prefetch cache (SXG)
  if (nav.transferSize === 0) {
    console.log('Page was likely served via Signed Exchange prefetch');
  }
});

// Expected output for SXG-served pages:
// Page loaded from: navigate
// Transfer size: 0 bytes
// Page was likely served via Signed Exchange prefetch

Common Errors

SXG certificate not issued. Google's SXG CA requires domain validation. Ensure your DNS records are correct and the domain is properly verified in Cloudflare.

Mixed content in SXG pages. All subresources referenced in a signed exchange must be served over HTTPS. Any HTTP subresource causes validation failure.

SXG excluded for logged-in content. Pages with authentication cookies are excluded because they cannot be publicly cached. SXG only applies to public, cacheable pages.

SXG not working for subdomains. The signed exchange certificate covers the exact domain. Verify that the domain in your Cloudflare dashboard matches the search-visible domain.

Google not prefetching SXG. Google uses several signals to decide whether to prefetch a signed exchange. High-authority pages with good Core Web Vitals are prioritized.

Practice Questions

  1. What cryptographic property does a Signed Exchange provide to Google Search?
  2. Why are pages with Set-Cookie headers excluded from SXG signing?
  3. How can you detect whether a page was served via SXG prefetch using browser APIs?

Challenge

Enable SXG on a test domain with cacheable content. Use curl to validate the signed exchange structure. Decompress the SXG payload and inspect the inner HTTP exchange.

Real-World Task

Identify your top 10 landing pages from Google Search traffic. Verify they are cacheable and eligible for SXG. Enable the feature and monitor the change in bounce rate and Time to First Byte.

FAQ

Does SXG work with AMP?

Yes, Google uses SXG with AMP pages to enable instant loading in search results. When AMP is combined with SXG, the signed exchange format replaces the AMP cache URL mechanism.

Can SXG improve SEO rankings?

Not directly. Google has stated that SXG does not affect search rankings. However, faster load times from prefetching improve user engagement signals like bounce rate and time on page, which indirectly influence rankings.

Does SXG expose my private cache key to Google?

No. Cloudflare strips cookies and other personalized content before signing the exchange. The signed payload contains only the public, cacheable response that any Visitor would see.

  • Early Hints — Combine instant prefetching with preloaded subresources
  • Prefetch & Preload — Broader predictive loading strategies for SXG pages
  • Page Rules Caching — Ensure cacheable responses for SXG eligibility

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro