Probably not cdnjs -- there are lots of people who use CloudFlare for an assets domain (since it's free) -- if they are just serving images, it's a problem to display the CAPTCHA. It is probably best practice, if none of those assets are sensitive, to disable as much security as possible on that domain. It might be worth having some packages of defaults for tuning that. (One of the benefits for our enterprise customers is one of our staff works with them to tune settings.)