Client Side Protection

Overview

As part of PCI DSS 4.0 requirements for Client-Side Protection (Requirements 6.4.3 and 11.6.1), CloudGuard WAF introduces automatic Script and IFrame Discovery and Authorization. These features help organizations:

  • Identify all external JavaScript and iframe resources loaded by their web applications

  • Detect and prevent unauthorized or unexpected third-party scripts

  • Enforce a “trust-list” model for external sources

  • Reduce the risk of client-side attacks such as Magecart, form-jacking, or malicious injections

  • Maintain PCI DSS visibility and control requirements

How to set up Client Side Protection?

Step 1: Add URIs to Start Discovery

  • Navigate to Client-Side Protection Practice → Content & Headers Discovery.

  • Add one or more URIs representing pages you want the system to analyze.

  • Discovery will not start without at least one URI.

circle-info

To Avoid Learning Inline Scripts check the following checkbox:

Step 2: Configure Security Header Checks

Set Security header check to one of the following:

  • Inactive

  • Validate server security headers

  • Validate full security-header policy

Step 3: Allow the System to Learn

  • As traffic flows through the protected application, CloudGuard automatically identifies:

    • External JavaScript files

    • Inline scripts

    • Embedded iframes

  • A banner at the top of the screen will notify you that Learning has started.

circle-info

To receive email notifications for Client Side Protection events configure a notification trigger and connect it to the relevant asset.

  • Discovery results appear in two places:

    • Client-Side → Discovered Scripts / Discovered IFrames

    • Learn tab, where the system summarizes findings during the learning phase

Step 4: Review Discovered Items

  • Review each discovered script/iframe and determine whether it is:

    • Expected and safe

    • Unexpected, unknown, or suspicious

Step 5: Authorize Trusted Scripts & IFrames

  • Approve legitimate resources directly from the Discovered list

circle-info

To allow all inline scripts check the following checkbox

  • Use Custom section to:

    • Add Scripts/Iframes that were not discovered yet.

    • Pre-authorize updated versions to deploy changes without needing re-discovery.

    • Define stricter allow-list rules.

  • Adjust Script Authorization mode and Iframe Authorization mode

Step 6: Enable Enforcement

When ready: Enforce Policy

CloudGuard WAF will then block unauthorized or unexpected scripts and iframes.

Last updated

Was this helpful?