Cloudflare Demo Shop

Client-Side Security

Inventory every third-party script and connection running in your users' browsers. Detect Magecart-style skimmers, supply-chain compromise, and unexpected data exfiltration — automatically.

Do you know what every script on your website is doing in your customers' browsers?

Modern websites load dozens of third-party scripts — analytics, tag managers, payment widgets, A/B testing, chat tools, social embeds. Each one is a piece of code you didn't write, running in your users' browsers, with full access to forms and cookies. When one of those scripts is compromised (Magecart-style skimmer attacks, supply-chain takeovers, NPM package hijacks), customer data — including credit-card numbers entered on your checkout page — silently exfiltrates to the attacker. PCI DSS 4.0 explicitly requires you to manage and monitor this.

How it fits together

Diagram coming soon

Architecture diagram for this solution will be added here.

How Cloudflare solves it

Common questions

Does Page Shield add latency to my pages?
No. The detection happens via a tiny CSP-style reporting endpoint and from Cloudflare's view of the request traffic — nothing executes synchronously on your critical path.
What's the difference between Page Shield and a WAF?
The WAF protects server-side: it sees and blocks requests *to* your origin. Page Shield protects client-side: it sees what's running *in the user's browser* after your origin has already responded. Magecart and supply-chain attacks specifically target the browser layer; the WAF can't see them.
Will Page Shield generate a CSP automatically?
Yes. Based on observed legitimate script and connection sources over a period of time, Page Shield will recommend a tight CSP. You can deploy it in report-only mode first, watch for violations, and then enforce.
What action does Page Shield take when it finds a malicious script?
Today, Page Shield alerts you — it doesn't block scripts in-line by default (because that risks breaking your site if a legitimate script is misclassified). Most customers use the alert to investigate and roll a tighter CSP. Active blocking via CSP is a one-click follow-up.

Try it live

The live demo runs on a dedicated checkout page at /client-side-security/checkout so Client-Side Security has a clean, stable surface to inventory. Use the scenario toggles below to flip alert scenarios on that page — coinhive injection (new script + malicious domain), unexpected connection, unexpected cookie, or a code change to an already-fingerprinted analytics script. Hit Open Checkout to view the demo surface, then trigger an alert and watch it land in the dashboard.

Open the live demo

The Client-Side Security demo runs on its own dedicated checkout page so that Cloudflare can build a clean inventory of scripts, connections, and cookies. Use the scenario toggles below to inject signals, then reload the checkout page (or have your traffic generator hit it) to trigger alerts.

Scenario toggles

Flags are stored in Workers KV and read by the checkout page on every load. Toggle, then trigger a fresh page view to surface the signal.

What the checkout page emits

The baseline page is intentionally small so the inventory converges.

  • Scripts (first-party): /api/page-shield/checkout-core.js, /api/page-shield/checkout-analytics.js
  • Scripts (third-party, trusted): cdn.jsdelivr.net/npm/jquery
  • Connections (first-party): POST /api/page-shield/checkout/submit, POST /api/page-shield/checkout/telemetry
  • Cookies (Set-Cookie, first-party): demo_checkout_session, demo_checkout_last_order
  • Cookies (document.cookie): demo_cart_seen

Anything beyond this list is added only by an enabled scenario.

Docs & blogs

← Back to all solutions