Do you know what every script on your website is doing in your customers' browsers?
Modern websites load dozens of third-party scripts — analytics, tag managers, payment widgets, A/B testing, chat tools, social embeds. Each one is a piece of code you didn't write, running in your users' browsers, with full access to forms and cookies. When one of those scripts is compromised (Magecart-style skimmer attacks, supply-chain takeovers, NPM package hijacks), customer data — including credit-card numbers entered on your checkout page — silently exfiltrates to the attacker. PCI DSS 4.0 explicitly requires you to manage and monitor this.
How it fits together
Diagram coming soon
Architecture diagram for this solution will be added here.
How Cloudflare solves it
- Automatic script inventory. Page Shield uses real browser telemetry to discover every script your site loads — including scripts loaded by other scripts. New scripts trigger alerts so you notice the change.
- Connection monitoring. See every external endpoint your pages talk to (fetch, XHR, WebSocket, beacon). Surface unexpected destinations — a payment widget that suddenly calls a Russian domain is a flag.
- Malicious & obfuscated script detection. Cloudflare's threat intelligence flags known skimmer signatures, malicious URLs, and heuristically detects suspicious obfuscation patterns common to Magecart variants.
- Content Security Policy (CSP) generation. Generate and roll out CSP headers based on observed legitimate traffic — no more guessing what your CSP should allow. Page Shield reports CSP violations so you can tighten without breaking the site.
- PCI DSS 4.0 compliance. Requirements 6.4.3 and 11.6.1 (inventory, integrity monitoring, change detection for payment pages) are met out of the box with Page Shield's alerting and reporting.
Common questions
Does Page Shield add latency to my pages?
What's the difference between Page Shield and a WAF?
Will Page Shield generate a CSP automatically?
What action does Page Shield take when it finds a malicious script?
Try it live
The live demo runs on a dedicated checkout page at /client-side-security/checkout so Client-Side Security has a clean, stable surface to inventory. Use the scenario toggles below to flip alert scenarios on that page — coinhive injection (new script + malicious domain), unexpected connection, unexpected cookie, or a code change to an already-fingerprinted analytics script. Hit Open Checkout to view the demo surface, then trigger an alert and watch it land in the dashboard.
Open the live demo
The Client-Side Security demo runs on its own dedicated checkout page so that Cloudflare can build a clean inventory of scripts, connections, and cookies. Use the scenario toggles below to inject signals, then reload the checkout page (or have your traffic generator hit it) to trigger alerts.
Scenario toggles
Flags are stored in Workers KV and read by the checkout page on every load. Toggle, then trigger a fresh page view to surface the signal.
What the checkout page emits
The baseline page is intentionally small so the inventory converges.
- Scripts (first-party):
/api/page-shield/checkout-core.js,/api/page-shield/checkout-analytics.js - Scripts (third-party, trusted):
cdn.jsdelivr.net/npm/jquery - Connections (first-party):
POST /api/page-shield/checkout/submit,POST /api/page-shield/checkout/telemetry - Cookies (Set-Cookie, first-party):
demo_checkout_session,demo_checkout_last_order - Cookies (document.cookie):
demo_cart_seen
Anything beyond this list is added only by an enabled scenario.