--- title: Client-side security description: Cloudflare's client-side security is a comprehensive client-side security and privacy solution that allows you to ensure the safety of your website visitors' browsing environment. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Client-side security Ensures the safety and privacy of your website visitors' browsing environment. Available on all plans Client-side security (formerly Page Shield) helps manage resources loaded by your website visitors — including scripts, their connections, and cookies — and triggers alert notifications when resources change or are considered malicious. Learn how to [get started](https://developers.cloudflare.com/client-side-security/get-started/). --- ## Features ### Resource monitoring Displays information about client-side resources loaded in your domain's pages. [ Monitor client-side resources ](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/) ### Page attribution Find in which page a resource first appeared, and view a list of the latest occurrences of the resource in your pages. [ Find resource occurrences ](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/#view-details) ### Malicious script detection Detects malicious scripts in your pages using threat intelligence and machine learning. [ Review malicious scripts ](https://developers.cloudflare.com/client-side-security/detection/review-malicious-scripts/) ### Code change detection Detects any changes in the scripts loaded in your pages. [ Review changed scripts ](https://developers.cloudflare.com/client-side-security/detection/review-changed-scripts/) ### Alerts Receive notifications about newly detected scripts, scripts loaded from unknown domains, new scripts considered malicious, or code changes in your existing scripts. [ Use Alerts ](https://developers.cloudflare.com/client-side-security/alerts/) ### Content security rules Content security rules define allowed resources on your websites. Use content security rules to enforce an allowlist of resources, effectively blocking resources not included in your rules. [ Use Content security rules ](https://developers.cloudflare.com/client-side-security/rules/) ## Availability | Free | Pro | Business | Enterprise | Advanced | | | ---------------------------------------------------- | --- | -------- | ---------- | -------- | --- | | Availability | Yes | Yes | Yes | Yes | Yes | | Script monitoring | Yes | Yes | Yes | Yes | Yes | | Connection monitoring | No | No | Yes | Yes | Yes | | Cookie monitoring | No | No | Yes | Yes | Yes | | Page attribution | No | No | Yes | Yes | Yes | | New Resources Alerts and New Domain Alerts | No | No | Yes | Yes | Yes | | Malicious script detection and alerting | No | No | No | No | Yes | | Code change detection and alerting | No | No | No | No | Yes | | Malicious connection detection and alerting | No | No | No | No | Yes | | Cookie monitoring advanced fields | No | No | No | No | Yes | | Number of content security rules (positive blocking) | 0 | 0 | 0 | 0 | 5 | | Number of Logpush jobs | 0 | 0 | 0 | 0 | 4 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}}]} ``` --- --- title: Get started with client-side security description: Learn how to get started with Cloudflare's client-side security. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/get-started.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get started with client-side security ## 1\. Activate client-side resource monitoring To enable client-side resource monitoring: * [ New dashboard ](#tab-panel-3330) * [ Old dashboard ](#tab-panel-3331) 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. (Optional) Filter by **Client-side abuse**. 3. Turn on **Continuous script monitoring**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 3. Go to the **Settings** tab. 4. Next to **Continuous monitoring and alerting**, select **Enable**. If you do not have access to client-side security settings in the Cloudflare dashboard, check if your user has one of the [necessary roles](https://developers.cloudflare.com/client-side-security/reference/roles-and-permissions/). ## 2\. Review detected resources When you enable client-side resource monitoring, it may take a while to get the list of detected scripts in your domain. To review the scripts detected by Cloudflare: 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3328) * [ Old dashboard ](#tab-panel-3329) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Review the list of detected scripts, checking for any unknown or unexpected scripts. [Depending on your plan and subscriptions](https://developers.cloudflare.com/client-side-security/#availability), Cloudflare will also: * Inform you if a script is [considered malicious](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). * [Show the details](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/#view-details) about each detected script. Depending on your Cloudflare plan, you may be able to also review the connections made by scripts in your domain's pages and check them for malicious activity. ## 3\. (Optional) Configure alerts Once you have activated client-side security's resource monitoring, you can set up one or more alerts informing you of relevant client-side changes on your zones. The [available alert types](https://developers.cloudflare.com/client-side-security/alerts/alert-types/) depend on your Cloudflare plan and subscriptions. To configure an alert: 1. In the Cloudflare dashboard, go to the **Notifications** page. [ Go to **Notifications** ](https://dash.cloudflare.com/?to=/:account/notifications) 2. Choose **Add** and then select **Client-side security (formerly Page Shield)** in the **Product** dropdown. 3. Select an [alert type](https://developers.cloudflare.com/client-side-security/alerts/alert-types/). 4. Enter the notification name and description. 5. (Optional) If you are a customer with Client-Side Security Advanced, you can [define the zones for which you want to filter alerts](https://developers.cloudflare.com/client-side-security/alerts/#scoped-alerts) in **Rules of these zones**. This option requires that you define [content security rules](https://developers.cloudflare.com/client-side-security/rules/) in the selected zones. 6. Select one or more notification destinations (notification email, webhooks, and connected notification services). 7. Select **Create**. To learn how you can handle an alert, refer to [Handle a client-side resource alert](https://developers.cloudflare.com/client-side-security/best-practices/handle-an-alert/). ## 4\. (Optional) Define content security rules Note Only available to customers with Client-Side Security Advanced. [Content security rules](https://developers.cloudflare.com/client-side-security/rules/) (previously called policies) define allowed resources on your websites. Create content security rules to implement a positive security model[1](#user-content-fn-1). ### 4.1\. Create a content security rule with the Log action When you create a content security rule with the [_Log_ action](https://developers.cloudflare.com/client-side-security/rules/#rule-actions), Cloudflare logs any resources not covered by the rule, without blocking any resources. Use this action to validate a new rule before deploying it. Note Only available to customers with Client-Side Security Advanced. * [ New dashboard ](#tab-panel-3334) * [ Old dashboard ](#tab-panel-3335) 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create** \> **Content security rules**. 3. Enter a descriptive name for the rule in **Description**. 4. Under **If incoming requests match**, define the scope of the content security rule (or policy). You can use the Expression Builder (specifying one or more values for **Field**, **Operator**, and **Value**) or manually enter an expression using the Expression Editor. For more information, refer to [Edit expressions in the dashboard](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/). 5. Under **Allow these directives**, select the desired [CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/) for the content security rule by enabling one or more checkboxes. * To manually enter an allowed source, select **Add source**. * To refresh the displayed sources based on detected resources, select **Refresh suggestions**. Note Cloudflare provides suggestions for **Default**, **Scripts**, and **Connections** directives. For the **Default** directive, suggestions are based on monitored scripts and connections resources. 6. Under **Then take action**, select _Log_. 7. To save and deploy your rule, select **Deploy**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account and domain. 2. Go to **Security** \> **Client-side security** \> **Rules**. 3. Select **Create rule**. 4. Enter a descriptive name for the rule in **Description**. 5. Under **If incoming requests match**, define the rule scope. You can use the Expression Builder (specifying one or more values for **Field**, **Operator**, and **Value**) or manually enter an expression using the Expression Editor. For more information, refer to [Edit expressions in the dashboard](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/). 6. Under **Allow these directives**, select the desired [CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/) for the rule by enabling one or more checkboxes. * To manually enter an allowed source, select **Add source**. * To refresh the displayed sources based on detected resources, select **Refresh suggestions**. Note Cloudflare provides suggestions for **Default**, **Scripts**, and **Connections** directives. For the **Default** directive, suggestions are based on monitored scripts and connections resources. 7. Under **Then take action**, select _Log_. 8. To save and deploy your rule, select **Deploy**. ### 4.2\. Review rule violations Resources not covered by the content security rule you created will be reported as [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/). After some time, review the list of rule violations to make sure the rule is correct. To view rule violation information: * [ New dashboard ](#tab-panel-3332) * [ Old dashboard ](#tab-panel-3333) 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. (Optional) Filter by **Content security rules**. * In the Cloudflare dashboard, go to **Security** \> **Client-side security** \> **Rules**. The displayed information includes the following: * A sparkline next to the rule name, showing violations in the past seven days. * For content security rules with associated violations, an expandable details section for each rule, with the top resources present in violation events and a sparkline per top resource. Update the rule if needed. ### 4.3\. Change rule action to Allow Once you have verified that your content security rule is correct, change the rule action from _Log_ to _Allow_. When you use the [_Allow_ action](https://developers.cloudflare.com/client-side-security/rules/#rule-actions), Cloudflare starts blocking any resources not explicitly allowed by the rule. ## Footnotes 1. A positive security model is one that defines what is allowed and rejects everything else. In contrast, a negative security model defines what will be rejected and accepts the rest. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/get-started/","name":"Get started with client-side security"}}]} ``` --- --- title: How client-side security works description: Cloudflare's client-side security tracks resources (such as scripts) loaded by your website visitors and provides alerts when it detects new, changed, or malicious resources. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/how-it-works/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # How client-side security works Cloudflare's client-side security helps manage client-side resources (which include scripts and their connections) loaded by your website visitors, and provides visibility on the [cookies ↗](https://www.cloudflare.com/learning/privacy/what-are-cookies/) recently detected in HTTP traffic. Client-side security can trigger alert notifications when resources change or are considered malicious. Client-side security uses two types of [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) HTTP headers for different purposes: * For resource monitoring (scripts and connections) * To enforce content security rules or log violations of these rules ## Comparison of CSP headers The following table compares the CSP HTTP headers used for monitoring resources and applying content security rules: | Resource monitoring HTTP header | Content security rules HTTP headers | | --------------------------------------------- | ------------------------------------------------------------------------------------ | | content-security-policy-report-only | content-security-policy-report-only (log rules)content-security-policy (allow rules) | | Automatic — on when monitoring is enabled | Manual — created via rules you define | | Added to a sample of HTML responses | Added to 100% of matching responses (not sampled) | | Reports everything by disallowing anything | CSP directives come from your allowlist | | Browser sends violation reports to Cloudflare | Log rules report violations onlyAllow rules block disallowed resources | ## Header used for resource monitoring When you turn on resource monitoring, Cloudflare automatically adds a `content-security-policy-report-only` HTTP header to a sample of HTML responses. For details on the header format, refer to [CSP HTTP header format](https://developers.cloudflare.com/client-side-security/reference/csp-header/). This header instructs the browser to report all loaded scripts and connections without blocking them. This allows Cloudflare to provide you with a list of all scripts running on your application and the connections they make to third-party endpoints. Cloudflare also monitors ingress and egress traffic for cookies, either set by origin servers or by the visitor's browser. You cannot turn off the monitoring header while resource monitoring is enabled. Because the header is added to a sample of responses, there may be a [small delay](https://developers.cloudflare.com/client-side-security/troubleshooting/#cloudflare-does-not-show-any-client-side-resources-after-activation) between deploying a script or cookie and having its data displayed in the resource monitoring dashboards. The client-side resource monitoring dashboard shows the list of [active](https://developers.cloudflare.com/client-side-security/reference/script-statuses/#available-statuses) scripts, connections, and cookies. The **All Reported Scripts** and **All Reported Connections** dashboards show the full list of detected scripts and connections in your domain, respectively, including infrequent and inactive ones. ## Headers related to content security rules When you create [content security rules](https://developers.cloudflare.com/client-side-security/rules/), Cloudflare generates CSP directives based on your allow and log rules: * **Log rules** add directives to the `content-security-policy-report-only` HTTP header, reporting violations without blocking resources. * **Allow rules** add directives to the `content-security-policy` HTTP header, actively blocking resources not present in your allowlist. Unlike headers used for resource monitoring, these HTTP headers apply only to responses matching the expression you define in each rule and are not sampled. You have full control over these headers through your [content security rules](https://developers.cloudflare.com/client-side-security/rules/) configuration. Customers with Client-Side Security Advanced have access to additional classification mechanisms based on threat feeds to determine if a script, or a connection made by a script, is malicious. For more information, refer to [Malicious script and connection detection](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). --- ## Learn more For more background on client-side security and resource monitoring, refer to our [blog post ↗](https://blog.cloudflare.com/page-shield-generally-available/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/how-it-works/","name":"How client-side security works"}}]} ``` --- --- title: Malicious script and connection detection description: Cloudflare analyzes the JavaScript code of the scripts loaded by your website visitors, using threat intelligence and machine learning (including LLMs) to detect malicious behavior. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/how-it-works/malicious-script-detection.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Malicious script and connection detection Note Domain-based threat intelligence is available to all customers. Malicious script detection and malicious URL checks require Client-Side Security Advanced. Cloudflare uses different mechanisms to determine if a script, or a connection made by a script, is malicious. These mechanisms are: * Malicious script detection * Malicious URL checks * Malicious domain checks Any updates to the threat feeds will trigger new checks for previously detected scripts or connections so that the client-side resource monitoring dashboards always reflect the latest categorization. ## Malicious script detection Cloudflare analyzes the JavaScript code of the scripts loaded by your website visitors. This analysis uses machine learning, including an LLM powered by Workers AI, to reduce the false positive rate and focus on highlighting true positives such as [Magecart-type attacks ↗](https://sansec.io/what-is-magecart). Note Cloudflare uses open-source models for this analysis. Customer data is not used to train these models. The analysis assigns a score (also called JS integrity score) between 1 and 99 to each script version, classifying how malicious it is. A score of 1 means definitely malicious, and 99 means definitely not malicious. This score, together with a threshold value, will determine if the malicious script detection system will classify the script as malicious or not. The score threshold for considering a script as malicious is currently set to 10\. If the script classification score is below this value, the monitoring dashboards will display the script as being malicious. In addition to the integrity score, Cloudflare will also provide individual scores for different malicious code detections (scores from 1 to 99): * **Magecart** * **Crypto mining** * **Malware** You can [configure Malicious Script Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) to receive an alert notification as soon as Cloudflare detects JavaScript code classified as malicious in your domain. Note Currently, the script classifier only runs on scripts up to 300 KB. It is recommended that you take into account other signals in your monitoring strategy, such as signals based on threat intelligence feeds (malicious URL/domain checks). ## Malicious URL checks Cloudflare will search for the URLs of your JavaScript dependencies in threat intelligence feeds to determine if any of those scripts should be categorized as malicious. The client-side resource monitoring dashboards display the scripts that were considered malicious at the top of the scripts list. You can [configure Malicious URL Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) to receive an alert notification as soon as Cloudflare detects a script from a malicious URL in your domain. Depending on your current configuration, Cloudflare can also search for malicious URLs in the URLs of outgoing connections made by scripts in your domain. To enable this check, you must [allow resource monitoring to use the full URLs of outgoing connections](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details) instead of only the hostname in the settings page. ## Malicious domain checks Cloudflare will search for the domains of your client-side JavaScript dependencies in threat feeds to determine if any of those scripts is being served from a known malicious domain. A domain previously reported as malicious can later be reported as non-malicious if, after further analysis, the domain is deemed safe. Cloudflare will also check the target domains of connections made by scripts in your domain's pages, following the same approach described for scripts. You can [configure Malicious Domain Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) to receive an alert notification as soon as Cloudflare detects a malicious script loaded from a known malicious domain in your domain. --- ## Malicious script and connection categories Scripts and connections considered malicious are categorized based on data from threat intelligence feeds. The current categories are the following: * Security threats * Command-and-Control (C2) & Botnet * Crypto mining * Spyware * Phishing * Malware * Domain Generation Algorithm (DGA) domain * Typosquatting & Impersonation Each script or connection considered malicious can belong to several categories. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/how-it-works/","name":"How client-side security works"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/how-it-works/malicious-script-detection/","name":"Malicious script and connection detection"}}]} ``` --- --- title: Alerts description: Cloudflare client-side resource alerts notify you when new scripts are detected on your domain or when Cloudflare detects resources that are likely malicious. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/alerts/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Alerts Note New resource alerts require a Business plan or higher. Code change and malicious resource alerts require Client-Side Security Advanced. For details, refer to [Alert types](https://developers.cloudflare.com/client-side-security/alerts/alert-types/). Once you have activated client-side security's resource monitoring, you can set up one or more alerts informing you of relevant client-side changes on your zones. You can configure unscoped or scoped alerts: * **Unscoped alert**: An alert configured for all zones in your Cloudflare account. Unscoped alerts are triggered either daily, hourly, or immediately, depending on the [alert type](https://developers.cloudflare.com/client-side-security/alerts/alert-types/). * **Scoped alert**: An alert scoped to one or more zones. You must configure [content security rules](https://developers.cloudflare.com/client-side-security/rules/) for the zones you select to receive any notifications. Scoped alerts are triggered immediately. Rule violations will not trigger an alert. For more information, refer to [Scoped alerts](#scoped-alerts). For alerts sent at regular intervals, you might experience a delay between adding a new script and receiving an alert. For instructions on configuring alerts, refer to [Configure an alert](https://developers.cloudflare.com/client-side-security/alerts/configure/). ## Scoped alerts Note Only available to customers with Client-Side Security Advanced. If you have configured [content security rules](https://developers.cloudflare.com/client-side-security/rules/) in a zone, you can filter alert notifications according to those rules. These alerts are called scoped alerts. When you create a scoped alert using the **Policies of these zones** alert filter, you will only receive the most relevant notifications based on the rules you configured. For each scoped alert, Cloudflare does the following: 1. Check which content security rules are enabled in a zone, either in allow or in log mode. 2. For every enabled rule, compare the URL of the new or changed resource against the allowed sources in the rule. 3. If the resource is allowed by the rule, check if the new or modified resource should trigger the current alert. 4. If the alert should trigger, send an alert notification to the configured destinations. When you create a scoped alert you will not receive notifications for resources that are not allowed by a policy (either [in allow or in log mode](https://developers.cloudflare.com/client-side-security/rules/#rule-actions)). These are [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/) that you can review in the dashboard, through GraphQL, or via Logpush. Note Scoped alerts only fire if the zone has at least one enabled content security rule. For unscoped alerts, you will receive alerts for resources detected in all your zones, and you may receive alerts about resources that violate your configured content security rules. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/alerts/","name":"Alerts"}}]} ``` --- --- title: Alert types description: You can configure alerts for resources detected in your domain. Refer to Alerts for more information. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/alerts/alert-types.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Alert types You can configure alerts for resources detected in your domain. Refer to [Alerts](https://developers.cloudflare.com/client-side-security/alerts/) for more information. ## New resource alerts Note Requires a Business plan or higher. New resource alerts notify you about new resources detected on your domain, resources detected from new host domains, or issues with the URL length of newly detected resources. Client-side security New Resources Alert **Who is it for?** [Client-side security](https://developers.cloudflare.com/client-side-security/) customers who want to receive a notification when new resources appear in their domain. **Other options / filters** None. **Included with** Business plans or higher. **What should you do if you receive one?** Investigate to confirm that it is an expected change. **Additional information** Triggered daily. If configured with a zone filter, the alert is triggered immediately. Client-side security New Domain Alert **Who is it for?** [Client-side security](https://developers.cloudflare.com/client-side-security/) customers who want to receive a notification when resources from new host domains appear in their domain. **Other options / filters** None. **Included with** Business plans or higher. **What should you do if you receive one?** Investigate to confirm that it is an expected change. **Additional information** Triggered hourly. If configured with a zone filter, the alert is triggered immediately. Client-side security New Resource Exceeds Max URL Length Alert **Who is it for?** [Client-side security](https://developers.cloudflare.com/client-side-security/) customers who want to receive a notification when a resource's URL exceeds the maximum allowed length. **Other options / filters** None. **Included with** Business plans or higher. **What should you do if you receive one?** Manually check the resource. ## Code change alert Note Only available to customers with Client-Side Security Advanced. This alert notifies you about [code changes](https://developers.cloudflare.com/client-side-security/detection/review-changed-scripts/) in previously detected scripts. Client-side security New Code Change Detection Alert **Who is it for?** [Client-side security](https://developers.cloudflare.com/client-side-security/) customers who want to receive a notification when JavaScript dependencies change in the pages of their domain. **Other options / filters** None. **Included with** Customers with Client-Side Security Advanced. **What should you do if you receive one?** Investigate to confirm that it is an expected change. **Additional information** Triggered daily. If configured with a zone filter, the alert is triggered immediately. ## Malicious resource alerts Note Only available to customers with Client-Side Security Advanced. Malicious resource alerts notify you about [resources considered malicious](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/), based on their [domain](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/#malicious-domain-checks), [URL](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/#malicious-url-checks), or [script content](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/#malicious-script-detection). Client-side security New Malicious Domain Alert **Who is it for?** [Client-side security](https://developers.cloudflare.com/client-side-security/) customers who want to receive a notification when resources from a known malicious domain appear in their domain. For more information, refer to [Malicious script and connection detection](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). **Other options / filters** None. **Included with** Customers with Client-Side Security Advanced. **What should you do if you receive one?** Review the information in the client-side security dashboard about the detected malicious resources, then update the pages where those resources were detected. For more information, refer to [Review scripts and connections considered malicious](https://developers.cloudflare.com/client-side-security/detection/review-malicious-scripts/). Client-side security New Malicious URL Alert **Who is it for?** [Client-side security](https://developers.cloudflare.com/client-side-security/) customers who want to receive a notification when resources from a known malicious URL appear in their domain. For more information, refer to [Malicious script and connection detection](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). **Other options / filters** None. **Included with** Customers with Client-Side Security Advanced. **What should you do if you receive one?** Review the information in the client-side security dashboard about the detected malicious resources, then update the pages where those resources were detected. For more information, refer to [Review scripts and connections considered malicious](https://developers.cloudflare.com/client-side-security/detection/review-malicious-scripts/). Client-side security New Malicious Script Alert **Who is it for?** [Client-side security](https://developers.cloudflare.com/client-side-security/) customers who want to receive a notification when Cloudflare classifies JavaScript dependencies in their domain as malicious. For more information, refer to [Malicious script and connection detection](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). **Other options / filters** None. **Included with** Customers with Client-Side Security Advanced. **What should you do if you receive one?** Review the information in the client-side security dashboard about the detected malicious resources, then update the pages where those resources were detected. For more information, refer to [Review scripts and connections considered malicious](https://developers.cloudflare.com/client-side-security/detection/review-malicious-scripts/). Malicious resource alerts will only include resources with an _Active_ status. Refer to [Script and connection statuses](https://developers.cloudflare.com/client-side-security/reference/script-statuses/) for more information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/alerts/","name":"Alerts"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/alerts/alert-types/","name":"Alert types"}}]} ``` --- --- title: Configure an alert description: Configure scoped or unscoped client-side resource alerts to get notified about relevant client-side changes on your zones. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/alerts/configure.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Configure an alert To configure an alert: 1. In the Cloudflare dashboard, go to the **Notifications** page. [ Go to **Notifications** ](https://dash.cloudflare.com/?to=/:account/notifications) 2. Choose **Add** and then select **Client-side security (formerly Page Shield)** in the **Product** dropdown. 3. Select an [alert type](https://developers.cloudflare.com/client-side-security/alerts/alert-types/). 4. Enter the notification name and description. 5. (Optional) If you are a customer with Client-Side Security Advanced, you can [define the zones for which you want to filter alerts](https://developers.cloudflare.com/client-side-security/alerts/#scoped-alerts) in **Rules of these zones**. This option requires that you define [content security rules](https://developers.cloudflare.com/client-side-security/rules/) in the selected zones. 6. Select one or more notification destinations (notification email, webhooks, and connected notification services). 7. Select **Create**. ## Manage alerts To edit, delete, or disable an alert, go to the **Notifications** page. [ Go to **Notifications** ](https://dash.cloudflare.com/?to=/:account/notifications) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/alerts/","name":"Alerts"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/alerts/configure/","name":"Configure an alert"}}]} ``` --- --- title: Content security rules description: Use content security rules to define the resources (scripts) allowed on your applications. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/rules/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Content security rules Note Only available to customers with Client-Side Security Advanced. Content security rules (previously known as policies) define the resources allowed on your applications through Content Security Policy (CSP) directives. These rules can log violations and also enforce an allowlist of resources, effectively blocking resources not included in the policies. These two types of content security rules are called log rules and allow rules, respectively. Create [allow rules](#rule-actions) to define a positive security model, also known as positive blocking. According to this model, you define what is allowed and reject everything else. Such an approach helps you reduce the attack surface for unwanted third-party scripts in your application. A content security rule can control both client-side resources monitored by Cloudflare, such as scripts and their connections, and other types of resources. Refer to [Supported CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/) for details. Note Third-party service providers may require specific CSP directives. Refer to your provider's documentation for more information on the CSP directives you need to include in your rule. ## Rule actions A content security rule can perform one of the following actions: * **Log**: Cloudflare will log any resources not covered by the rule, without blocking any resources. Use this action to validate a new content security rule before deploying it. Resources not covered by the rule will be reported as [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/). * **Allow**: Cloudflare will block any resources not explicitly allowed by the content security rule. Switch to the _Allow_ action after validating a new rule with the _Log_ action, so that your content security rule does not block essential application resources, which would affect your application's end users. Rules with the _Allow_ action will log [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/) for any blocked resources. For details on the CSP directives Cloudflare creates for each type of rule action, refer to [How client-side security works](https://developers.cloudflare.com/client-side-security/how-it-works/#headers-related-to-content-security-rules). For more information on the CSP directives supported by content security rules, refer to [Supported CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/). ### Comparison | Log rule | Allow rule | | | ------------------ | --------------------------------------- | -------------------------------------- | | **CSP header** | content-security-policy-report-only | content-security-policy | | **Browser action** | Loads all resources | Blocks resources not in your allowlist | | **Violations** | Reported to Cloudflare without blocking | Logged by Cloudflare after blocking | | **Use case** | Validate a rule before enforcing it | Enforce a positive security model | ## Next steps Refer to the following pages for instructions on creating a content security rule: * [Create a content security rule in the dashboard](https://developers.cloudflare.com/client-side-security/rules/create-dashboard/) * [Client-side security API: Create a content security rule](https://developers.cloudflare.com/client-side-security/reference/api/#create-a-content-security-rule) Shortly after you configure content security rules, the Cloudflare dashboard will start displaying any [violations](https://developers.cloudflare.com/client-side-security/rules/violations/) of those rules. You can filter client-side security alert notifications according to the content security rules you configured in a zone. These alerts are called [scoped alerts](https://developers.cloudflare.com/client-side-security/alerts/#scoped-alerts). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/rules/","name":"Content security rules"}}]} ``` --- --- title: Create via API image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/rules/create-api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create via API ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/rules/","name":"Content security rules"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/rules/create-api/","name":"Create via API"}}]} ``` --- --- title: Create a content security rule in the dashboard description: Learn how to create a content security rule in the Cloudflare dashboard. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/rules/create-dashboard.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create a content security rule in the dashboard Note Only available to customers with Client-Side Security Advanced. * [ New dashboard ](#tab-panel-3346) * [ Old dashboard ](#tab-panel-3347) 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create** \> **Content security rules**. 3. Enter a descriptive name for the rule in **Description**. 4. Under **If incoming requests match**, define the scope of the content security rule (or policy). You can use the Expression Builder (specifying one or more values for **Field**, **Operator**, and **Value**) or manually enter an expression using the Expression Editor. For more information, refer to [Edit expressions in the dashboard](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/). 5. Under **Allow these directives**, select the desired [CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/) for the content security rule by enabling one or more checkboxes. * To manually enter an allowed source, select **Add source**. * To refresh the displayed sources based on detected resources, select **Refresh suggestions**. Note Cloudflare provides suggestions for **Default**, **Scripts**, and **Connections** directives. For the **Default** directive, suggestions are based on monitored scripts and connections resources. 6. Under **Then take action**, select the desired action: * _Allow_: Enforces the CSP directives configured in the rule, blocking any other resources from being loaded on your website, and logging any [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/). * _Log_: Logs any content security rule violations without blocking any resources not covered by the rule. 7. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account and domain. 2. Go to **Security** \> **Client-side security** \> **Rules**. 3. Select **Create rule**. 4. Enter a descriptive name for the rule in **Description**. 5. Under **If incoming requests match**, define the rule scope. You can use the Expression Builder (specifying one or more values for **Field**, **Operator**, and **Value**) or manually enter an expression using the Expression Editor. For more information, refer to [Edit expressions in the dashboard](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/edit-expressions/). 6. Under **Allow these directives**, select the desired [CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/) for the rule by enabling one or more checkboxes. * To manually enter an allowed source, select **Add source**. * To refresh the displayed sources based on detected resources, select **Refresh suggestions**. Note Cloudflare provides suggestions for **Default**, **Scripts**, and **Connections** directives. For the **Default** directive, suggestions are based on monitored scripts and connections resources. 7. Under **Then take action**, select the desired action: * _Allow_: Enforces the CSP directives configured in the rule, blocking any other resources from being loaded on your website, and logging any [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/). * _Log_: Logs any content security rule violations without blocking any resources not covered by the rule. 8. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/rules/","name":"Content security rules"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/rules/create-dashboard/","name":"Create a content security rule in the dashboard"}}]} ``` --- --- title: Supported CSP directives description: CSP directives supported by content security rules image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/rules/csp-directives.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Supported CSP directives [Content security rules](https://developers.cloudflare.com/client-side-security/rules/) support most Content Security Policy (CSP) directives, covering both monitored and unmonitored resources. You can use a content security rule to control other types of resources besides scripts and their connections, even though Cloudflare is not monitoring these resources. Each CSP directive can contain multiple values, including: * Schemes * Hostnames * URIs * Special keywords between single quotes (for example, `'none'`) * Hashes between single quotes (for example, `'sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC'`) Hostname and URI values support a `*` wildcard for the leftmost subdomain. The following table lists the supported CSP directives and special values you can use in content security rules: | Directive | Name in the dashboard | Supported special values | Monitored | | ------------------------- | ------------------------- | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | script-src | Scripts | 'none''self''unsafe-inline''unsafe-eval''' | [Yes](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/) | | connect-src | Connections | 'none''self''unsafe-inline''unsafe-eval''' | [Yes](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/) | | default-src | Default | 'none''self''unsafe-inline''unsafe-eval''' | No | | img-src | Images | 'none''self''unsafe-inline''unsafe-eval''' | No | | style-src | Styles | 'none''self''unsafe-inline''unsafe-eval''' | No | | font-src | Fonts | 'none''self''unsafe-inline''unsafe-eval''' | No | | object-src | Objects | 'none''self''unsafe-inline''unsafe-eval''' | No | | media-src | Media | 'none''self''unsafe-inline''unsafe-eval''' | No | | child-src | Child | 'none''self''unsafe-inline''unsafe-eval''' | No | | form-action | Form actions | 'none''self''unsafe-inline''unsafe-eval''' | No | | worker-src | Workers | 'none''self''unsafe-inline''unsafe-eval''' | No | | base-uri | Base URI | 'none''self''unsafe-inline''unsafe-eval''' | No | | manifest-src | Manifests | 'none''self''unsafe-inline''unsafe-eval''' | No | | frame-src | Frames | 'none''self''unsafe-inline''unsafe-eval''' | No | | frame-ancestors | Frame ancestors | 'none''self' | No | | upgrade-insecure-requests | Upgrade insecure requests | N/A | No | ## More resources For more information on CSP directives and their values, refer to the following resources in the MDN documentation: * [Content-Security-Policy response header ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy) * [CSP guide ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/rules/","name":"Content security rules"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/rules/csp-directives/","name":"Supported CSP directives"}}]} ``` --- --- title: Content security rule violations description: Cloudflare reports any violations to your content security rules. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/rules/violations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Content security rule violations Note Only available to customers with Client-Side Security Advanced. Shortly after you configure content security rules, the Cloudflare dashboard will start displaying any violations of those rules. This information will be available for rules with any [action](https://developers.cloudflare.com/client-side-security/rules/#rule-actions) (_Allow_ and _Log_). Information about rule violations is also available via [GraphQL API](#get-rule-violations-via-graphql-api) and [Logpush](#get-rule-violations-via-logpush). ## Review rule violations in the dashboard To view rule violation information: * [ New dashboard ](#tab-panel-3348) * [ Old dashboard ](#tab-panel-3349) 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. (Optional) Filter by **Content security rules**. * In the Cloudflare dashboard, go to **Security** \> **Client-side security** \> **Rules**. The displayed information includes the following: * A sparkline next to the rule name, showing violations in the past seven days. * For content security rules with associated violations, an expandable details section for each rule, with the top resources present in violation events and a sparkline per top resource. ## Get rule violations via GraphQL API Use the [Cloudflare GraphQL API](https://developers.cloudflare.com/analytics/graphql-api/) to obtain rule violation information through the following dataset: * `pageShieldReportsAdaptiveGroups` You can query the dataset for rule violations occurred in the past 30 days. Use [introspection](https://developers.cloudflare.com/analytics/graphql-api/features/discovery/introspection/) to explore the available fields the GraphQL schema. For more information, refer to [Explore the GraphQL schema](https://developers.cloudflare.com/analytics/graphql-api/getting-started/explore-graphql-schema/). For an introduction to GraphQL querying, refer to [Querying basics](https://developers.cloudflare.com/analytics/graphql-api/getting-started/querying-basics/). ### Example Example GraphQL query ``` query PageShieldReports( $zoneTag: string $datetimeStart: Time $datetimeEnd: Time ) { viewer { zones(filter: { zoneTag: $zoneTag }) { pageShieldReportsAdaptiveGroups( limit: 100 orderBy: [datetime_ASC] filter: { datetime_geq: $datetimeStart, datetime_leq: $datetimeEnd } ) { avg { sampleInterval } count dimensions { policyID datetime datetimeMinute datetimeFiveMinutes datetimeFifteenMinutes datetimeHalfOfHour datetimeHour url urlHost host resourceType pageURL action } } } } } ``` [Run in GraphQL API Explorer](https://graphql.cloudflare.com/explorer?query=I4VwpgTgngBACgQwOZgMoAsCWYA2ATAJTAAcB7CAFwGcAKAKBhgBIAvUgOzABVkAuGKhQiZ2SBszwIKYCpgC2aCgkr8u8sOKaTpshQFF2eVeroBKGAG9xAN2wB3SJfGM2nWgDNMOaRH4WYrtx8zIE8SDAAvuZWjLEwxMhoWLiEJOTUAIKSxLLWYADiEKQgxLTOcTA48pgU-ACMAAwN5XHkeJAAQlD8ANraMuoA+hmoAMIAui2xnt6QfjD9umCDKMD8WlIDCqhKlAA0C5tLgzhgaxJH6gZ4kVPRU4wI1uExFXFUCHLEpwCS7D7WBA4B63N6MADGxX+ILw6nYVEwHCoTjBsTIVXBUB+ABEQYxFiZUfjLgoALIiEDSPGHHTqABimDy5PYlLAVGpBIUDPc0jA7GZrPZRJpWzAAAkge4APLuMXFCAckni+XUkAQYHCtU4OWCanoUi64UQNny8HcKDEDTChIoACqBAAMtSEODZBwQREpp64t7bhEgA&variables=N4IgXg9gdgpgKgQwOYgFwgFoHkByBRAfQEkAREAGhABMEAXGWgSwFsYBlWhAJ1rRACYADPwBsAWkEAWCQGY4gwagCsS1AEZBGCtToMWMPFCp8hoidMFzBI5ao1aAvkA) Example curl request Terminal window ``` echo '{ "query": "query PageShieldReports($zoneTag: string, $datetimeStart: string, $datetimeEnd: string) { viewer { zones(filter: {zoneTag: $zoneTag}) { pageShieldReportsAdaptiveGroups(limit: 100, orderBy: [datetime_ASC], filter: {datetime_geq:$datetimeStart, datetime_leq:$datetimeEnd}) { avg { sampleInterval } count dimensions { policyID datetime datetimeMinute datetimeFiveMinutes datetimeFifteenMinutes datetimeHalfOfHour datetimeHour url urlHost host resourceType pageURL action } } } } }", "variables": { "zoneTag": "", "datetimeStart": "2023-04-17T11:00:00Z", "datetimeEnd": "2023-04-24T12:00:00Z" } }' | tr -d '\n' | curl --silent \ https://api.cloudflare.com/client/v4/graphql \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --header "Content-Type: application/json" \ --data @- ``` ## Get rule violations via Logpush [Cloudflare Logpush](https://developers.cloudflare.com/logs/logpush/) supports pushing logs to storage services, SIEM systems, and log management providers. Information about rule violations is available in the [page\_shield\_events dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/zone/page%5Fshield%5Fevents/). For more information on configuring Logpush jobs, refer to [Logpush](https://developers.cloudflare.com/logs/logpush/) documentation. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/rules/","name":"Content security rules"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/rules/violations/","name":"Content security rule violations"}}]} ``` --- --- title: Client-side security FAQ description: When you create content security rules, Cloudflare will generate content security policy (CSP) directives from those rules based on their configuration: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Client-side security FAQ ## What happens to CSP HTTP headers set by the origin server when I create a content security rule? When you create content security rules, Cloudflare will generate content security policy (CSP) directives from those rules based on their configuration: * Log rules will create CSP directives for the `Content-Security-Policy-Report-Only` HTTP header. * Allow rules will create CSP directives for the `Content-Security-Policy` HTTP header. Client-side security only adds new CSP HTTP headers to the response. This means that Cloudflare will keep any `Content-Security-Policy-Report-Only` and `Content-Security-Policy` HTTP headers in the response set by the origin server and it will add separate HTTP headers for the content security rules configured on your Cloudflare zone. It is recommended that you only have one rule in [allow mode](https://developers.cloudflare.com/client-side-security/rules/#rule-actions) (that is, a content security rule being enforced). If there is more than one `Content-Security-Policy` HTTP header in the response, the most restrictive policy wins. For more information, refer to the [MDN documentation ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#multiple%5Fcontent%5Fsecurity%5Fpolicies). ## Can I add a `nonce` CSP directive to a content security rule? Client-side security currently does not support [nonce ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP#nonces) directives in content security rules. Instead, you can use a [hash ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP#hashes) CSP directive. For details on the supported directives and values, refer to [Supported CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/faq/","name":"Client-side security FAQ"}}]} ``` --- --- title: Troubleshooting description: Cloudflare does not collect data on every single page view. Instead, it uses a sampling approach to gather information efficiently. This means that domains with lower traffic might take longer to generate initial reports, as these domains need more page views to accumulate enough samples. To speed up the reporting process, it is recommended that you actively generate traffic to your application after activating client-side resource monitoring. This will provide Cloudflare with more data to work with, leading to faster report generation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting ## Cloudflare does not show any client-side resources after activation Cloudflare does not collect data on every single page view. Instead, it uses a sampling approach to gather information efficiently. This means that domains with lower traffic might take longer to generate initial reports, as these domains need more page views to accumulate enough samples. To speed up the reporting process, it is recommended that you actively generate traffic to your application after [activating client-side resource monitoring](https://developers.cloudflare.com/client-side-security/get-started/). This will provide Cloudflare with more data to work with, leading to faster report generation. Other steps you can take to troubleshoot this issue: * Verify that [client-side resource monitoring is turned on](https://developers.cloudflare.com/client-side-security/get-started/#1-activate-client-side-resource-monitoring). * After enabling client-side resource monitoring and generating some traffic to your application (at least 100 requests), wait approximately one hour to ensure that Cloudflare has already collected and processed enough data to display in the client-side resource monitoring dashboard. * Use your browser's dev tools (**Network** tab) to check if the [content-security-policy-report-only HTTP header](https://developers.cloudflare.com/client-side-security/reference/csp-header/) is present. * Use analytics dashboards to verify if traffic is being proxied by Cloudflare. * Check if there are duplicate or conflicting Content Security Policy (CSP) headers in responses. Your origin server might be adding CSP headers to the response. ## The dashboard shows scripts and connections that I do not recognize Scripts often reference other scripts outside your application. But, if you see unexpected scripts on your resource monitoring dashboard, check them for signs of malicious activity. ## I get warnings in my browser's developer tools related to Content Security Policy (CSP) Cloudflare uses a Content Security Policy (CSP) report-only directive to gather a list of all scripts running on your application. Some browsers display scripts being reported as warnings in the console pane of their developer tools. For example: ``` [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution. ``` You can safely ignore these warnings, since they are related to the reports that Cloudflare requires to detect loaded scripts. For more information, refer to [How client-side security works](https://developers.cloudflare.com/client-side-security/how-it-works/). ## I get rule violation reports for a domain I allowlisted Rule violations reported via CSP's [report-only directive](https://developers.cloudflare.com/client-side-security/reference/csp-header/) do not take into consideration any redirects or redirect HTTP status codes. This is [by design ↗](https://www.w3.org/TR/CSP3/#create-violation-for-request) for security reasons. Some third-party services you may want to cover in your allow rules perform redirects. An example of such a service is Google Ads, which [does not work well with CSP policies ↗](https://support.google.com/adsense/thread/102839782?hl=en&msgid=103611259). For example, if you add the `adservice.google.com` domain to an allow rule, you could get rule violation reports for this domain due to redirects to a different domain (not present in your allow rule). In this case, the violation report would still mention the original domain, and not the domain of the redirected destination, which can cause some confusion. To try to solve this issue, add the domain of the redirected destination to your allow rule. You may need to add several domains to your rule due to redirects. ## My rule is not triggering (CSP header not added) If you have configured a content security rule but the expected CSP header is not being added to responses, [Transform Rules](https://developers.cloudflare.com/rules/transform/) may be rewriting the request path before the content security rule is evaluated. Cloudflare evaluates rules in a [specific order](https://developers.cloudflare.com/ruleset-engine/reference/phases-list/) across different phases. [URL Rewrite Rules](https://developers.cloudflare.com/rules/transform/url-rewrite/) run early in the request lifecycle, while content security rules are evaluated later, during response phases. This means that if your content security rule is matching incoming requests based on the request URI path (for example, using the field `http.request.uri.path`), the content security rule will evaluate against the rewritten path, not the original URI path requested by the visitor. ### Solution To fix this issue, choose one of the following approaches: * **Update the content security rule condition to match the rewritten path**: Change your rule's expression to match the rewritten URI path instead of the original visitor's URI path. * **Use raw fields to match the original URI path**: Use the [raw.http.request.uri.path](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.path/) field instead of the [http.request.uri.path](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/http.request.uri.path/) field in your content security rule expression. [Raw fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/?field-category=Raw+fields) preserve the original request values and are not affected by Transform Rules. When troubleshooting this issue, consider using [Cloudflare Trace](https://developers.cloudflare.com/rules/trace-request/) to verify how the request path changes as it passes through different phases. ## Responses contain duplicate CSP headers If responses have duplicate `Content-Security-Policy` or `Content-Security-Policy-Report-Only` headers, this is likely caused by having both client-side security and a [response header transform rule](https://developers.cloudflare.com/rules/transform/response-header-modification/) adding the same header type. Content security rules automatically add CSP headers to responses: * [Log rules](https://developers.cloudflare.com/client-side-security/rules/#rule-actions) add `Content-Security-Policy-Report-Only` headers. * [Allow rules](https://developers.cloudflare.com/client-side-security/rules/#rule-actions) add `Content-Security-Policy` headers. If you have a response header transform rule configured with the **Add** operation for the same header type, both headers will be present in the response. When browsers encounter multiple CSP headers, they enforce all of them, and the most restrictive policy wins. This can lead to unexpected blocking of legitimate resources. ### Solution If you need to use Response Header Transform Rules alongside client-side security policies, use the **Set static** or **Set dynamic** operations. These operations replace any existing header value, including headers added by Cloudflare's client-side security. Using these operations will make your transform rule take precedence over client-side security. Follow these steps to troubleshoot this issue: 1. Use your browser's dev tools (**Network** tab) to inspect the response headers and check for duplicate CSP headers. 2. Review your configured [Response Header Transform Rules](https://developers.cloudflare.com/rules/transform/response-header-modification/) and check if any are using the **Add** operation for `Content-Security-Policy` or `Content-Security-Policy-Report-Only` headers. 3. Change the operation from **Add** to **Set static** or **Set dynamic** if you want the transform rule to override client-side security's CSP headers. 4. Alternatively, disable or adjust the content security rule scope to avoid overlap with your transform rule. ### Recommended patterns | Scenario | Recommended approach | | -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | Client-side security manages all CSP headers | Do not create Response Header Transform Rules for CSP headers. | | Transform Rule manages all CSP headers | Use **Set static** or **Set dynamic** operations, and consider excluding the affected paths from your content security rule. | | Different CSP headers for different paths | Use content security rule conditions to target specific paths, and avoid overlapping Transform Rules. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Release notes description: Subscribe to RSS image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/release-notes.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Release notes [ Subscribe to RSS ](https://developers.cloudflare.com/client-side-security/release-notes/index.xml) ## 2026-03-25 **Page Shield is now client-side security** Cloudflare renamed Page Shield to client-side security. Cloudflare dashboard users still using the previous application security navigation in the dashboard can find the new client-side security section in **Security** \> **Client-side security**. Additionally, Page Shield policies are now called content security rules. This name matches the terminology already used in the new [application security dashboard](https://developers.cloudflare.com/security/). ## 2026-03-03 **Deprecated code behavior analysis scores** Code behavior analysis scores have been removed from the malicious script details. The updated GNN and LLM-based detection approach has proven significantly more effective at identifying true positives, making the separate behavior analysis scores redundant. Malicious code analysis scores and threat intelligence remain available for reviewing detected scripts. For more information, refer to [Review resources considered malicious](https://developers.cloudflare.com/client-side-security/detection/review-malicious-scripts/). ## 2026-03-03 **LLM-assisted false positive reduction for malicious script detection** Page Shield now includes an additional machine learning step, utilizing an LLM powered by Workers AI, to assist in analyzing the JavaScript code of scripts loaded by your website visitors. This enhancement specifically helps reduce the false positive rate of our detection engines, focusing your attention on true positives. Cloudflare uses open-source models for this analysis, and customer data is not used to train these models. For more information, refer to [Malicious script and connection detection](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). ## 2025-10-08 **Updated machine learning (ML) model** The latest ML model has been deployed to all Page Shield add-on customers with better classification precision. Scripts with false positive classification may have a different pattern than the previous model deployment. ## 2025-09-12 **Scoped alerts now support policies in log mode** [Scoped alerts](https://developers.cloudflare.com/client-side-security/alerts/) now take into account your Page Shield policies deployed in log mode. This allows you to simulate an end-to-end workflow before switching your policies to [allow mode](https://developers.cloudflare.com/client-side-security/rules/#rule-actions). ## 2025-05-20 **Updated machine learning (ML) model** The latest ML model has been deployed to all Page Shield add-on customers with better classification precision. Scripts with false positive classification may have a different pattern than the previous model deployment. ## 2025-05-09 **Reports from browser extension injected resources are filtered out** Script and connection reports caused by browser extension injections are now filtered out, helping you focus on managing application dependencies. ## 2024-12-02 **Alerts based on customer-defined policies** You can now scope all of Page Shield's alert types to selected zones and their associated policies, alerting only on the resources that have been explicitly allowed. ## 2024-09-30 **New machine learning (ML) scores for detected scripts** In addition to the global integrity score, Page Shield now provides individual script scores (from 1 to 99) for the following malicious code detections: Magecart, Crypto mining, and Malware. ## 2024-09-18 **Page Shield's script monitor now available in Free plan** The Page Shield's script monitor feature is now available to all users, including users in the Free plan. ## 2024-09-18 **Page Shield policy changes now available in audit logs** Cloudflare [Audit Logs](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/) now include entries for any changes to Page Shield's policies. ## 2024-06-18 **Cookie Monitor now available** Page Shield now captures HTTP cookies set and used by your web application. The [list of detected cookies](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/) in available in the Cloudflare dashboard or via API. ## 2024-06-14 **Added filter operators for scripts and connections** You can now filter scripts and connections in the Cloudflare dashboard using the `does not contain` operator. Pages associated with scripts and connections can be filtered by `includes`, `starts with`, and `ends with`. ## 2024-04-26 **Suggestions for the default directive** When creating a policy in the dashboard, default directive aggregates suggestions of monitored scripts and connections data, enabling defining default directive easier. ## 2024-04-04 **Individual threat intelligence categories** Instead of aggregating categories of URL and domain data from threat intelligence, they are now listed per type. ## 2024-03-21 **Increase allowed length per policy** Now each policy supports up to 6,000 characters. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/release-notes/","name":"Release notes"}}]} ``` --- --- title: Deploy content security rules in production description: Safe practices for deploying and updating content security rules. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/best-practices/deploy-rules-in-production.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Deploy content security rules in production Note Only available to customers with Client-Side Security Advanced. Follow the practices on this page when deploying or updating [content security rules](https://developers.cloudflare.com/client-side-security/rules/) in a production environment. Applying rule changes without a validation period can block legitimate resources and disrupt your application for end users. ## Update rules safely When updating content security rules in production, avoid the following: * Do not edit an existing rule directly in production without testing first. * Do not change a rule action from _Log_ to _Allow_ without a validation period. * Do not delete all rules at once. Instead, follow these practices: * Test changes in a staging environment before applying them in production. * Use the _Log_ [rule action](https://developers.cloudflare.com/client-side-security/rules/#rule-actions) for at least seven days before switching to _Allow_. * Update one rule at a time. * Monitor [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/) for 24 hours after each change. * Document a rollback procedure before making changes. ## Pre-enforcement checklist Complete the following checklist before switching a content security rule from _Log_ to _Allow_: * The rule was tested in _Log_ mode for a minimum of seven days. * Reviewed all [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/) and confirmed there are no unexpected blocks. * Added all legitimate third-party resources to the rule allowlist. * Tested the application on all major browsers (Chrome, Firefox, Safari, Edge). * Configured [alerts](https://developers.cloudflare.com/client-side-security/alerts/) for rule violations. * There is a documented rollback procedure that is ready to execute. Warning Switching a rule from _Log_ to _Allow_ without completing this checklist may block resources required by your application. This will directly affect your end users. ## Rollback a rule change If a rule change causes unexpected violations or blocks legitimate resources: 1. Switch the rule action back to _Log_ to stop blocking resources immediately. 2. Review the [rule violations](https://developers.cloudflare.com/client-side-security/rules/violations/) to identify which resources were blocked. 3. Update the rule to include any missing resources. 4. Repeat the validation process before switching back to _Allow_ (blocks resources not present in the allowlist). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/best-practices/deploy-rules-in-production/","name":"Deploy content security rules in production"}}]} ``` --- --- title: Handle a client-side resource alert description: If you receive a client-side resource alert, sometimes you need to perform some manual investigation to confirm the nature of the script. Use the guidance provided in this page as a starting point for your investigation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/best-practices/handle-an-alert.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Handle a client-side resource alert If you receive a [client-side resource alert](https://developers.cloudflare.com/client-side-security/alerts/alert-types/), sometimes you need to perform some manual investigation to confirm the nature of the script. Use the guidance provided in this page as a starting point for your investigation. ## 1\. Understand what triggered the alert Start by identifying the [detection system](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/) that triggered the alert. A link is provided in the alert that will send you directly to the Cloudflare dashboard to the relevant resource that needs reviewing. Alternatively, do the following: 1. Navigate to the client-side resources page: * [ New dashboard ](#tab-panel-3312) * [ Old dashboard ](#tab-panel-3313) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Select **Scripts** or **Connections** and search for the resource mentioned on the alert you received. 3. Select **Details** next to the resource you identified. The example screenshot below shows a malicious script resource. ![Dialog box showing the details of a script considered malicious.](https://developers.cloudflare.com/_astro/handle-alert-malicious-script-example.DqLS6vtx_ZFsQFA.webp) The details page will specify which detection system triggered the alert. Check the values of the following fields: * **Malicious code** * **Malicious URL** * **Malicious domain** Different detection mechanisms may consider the script malicious at the same time. This increases the likelihood of the detection not being a false positive. ## 2\. Find the page where the resource was detected If you received an alert for a potentially malicious script: 1. Navigate to the page on your website that is loading the script or performing the connection. Open a browser and navigate to one of the URLs in the **Page URLs** field (shown in the script details dialog box). 2. Open the browser's developer tools to confirm that the script is being loaded. You can check this in the developer tools' **Network** tab, searching for the script name, URL, or hostname. If you received an alert for a potentially malicious connection: 1. Go to the page on your website where the connection that triggered the alert is being made. Open a browser and go to one of the URLs specified in the **Page URLs** field (shown in the connection details dialog box). 2. Open the browser's developer tools to confirm that the connection is being made. You can check this in the developer tools' **Network** tab, searching for the target hostname of the connection. If you find the script or connection, this means the script is being loaded (or the connection is being established) for all website visitors — proceed to [step 3](#3-check-the-script-reputation). If you do not find the script being loaded or the connection being made, this could mean one of the following: * The script is being loaded (or the connection is being made) by visitors' browser extensions. * Your current state will not load the script or make the connection. Complex applications might load scripts and establish connections based on state. * You are not in the correct geographic location (or similar condition). * The attacker is only loading the script or making the connection for a percentage of visitors or visitors with specific browsers/signatures. In this case, in addition to the steps indicated below, the best approach is: * From a safe virtual environment, use online search tools and search for the given resource. Review results and resource metadata, for example domain registration details; * If in doubt, scan the application codebase for the resource and if found, clarify the purpose. ## 3\. Check the script reputation If Cloudflare considers the resource’s domain a "malicious domain", it is likely that the domain does not have a good reputation. The domain may be known for hosting malware or for being used for phishing attacks. Usually, reviewing the domain/hostname is sufficient to understand why you received the alert. You can use tools like Cloudflare's [Security Center Investigate ↗](https://dash.cloudflare.com/?to=/:account/security-center/investigate) platform to help with this validation. If Cloudflare's internal systems classified the script as containing "malicious code", external tools may not confirm the detection you got from Cloudflare, since the machine learning (ML) model being used is Cloudflare-specific technology. If you believe that Cloudflare's classification is a false positive, contact your account team so that we can further improve client-side security's underlying technology. ## 4\. (Optional) Analyze the script content You could use a virtual machine to perform some of the following analysis: 1. Open the script URL and get the script source code. If the script is obfuscated or encoded, this could be a sign that the script is malicious. 2. Scan the script source code for any hostnames or IP addresses. 3. For each hostname or IP address you identified, use Cloudflare's Security Center Investigate platform to look up threat information and/or search online for potential Indicators of Compromise. --- ## Conclusion If a resource which triggered a malicious resource alert: * Is actively present in your application * Is being loaded from a malicious host or IP address, or has malicious code * Has malicious hostnames or IP addresses in its source code, which may be obfuscated/encoded You should investigate further, since these indicators can be a sign of an ongoing active compromise. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/best-practices/","name":"Best practices"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/best-practices/handle-an-alert/","name":"Handle a client-side resource alert"}}]} ``` --- --- title: Monitor resources and cookies description: Once you activate client-side security's resource monitoring, the main client-side resources dashboard will show which resources (scripts and connections) are running on your domain, as well as the cookies recently detected in HTTP traffic. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/detection/monitor-connections-scripts.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Monitor resources and cookies Once you [activate client-side security's resource monitoring](https://developers.cloudflare.com/client-side-security/get-started/), the main client-side resources dashboard will show which resources (scripts and connections) are running on your domain, as well as the cookies recently detected in HTTP traffic. If you notice unexpected scripts or connections on the dashboard, check them for signs of malicious activity. Customers with Client-Side Security Advanced will have their [connections and scripts classified as potentially malicious](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/) based on threat feeds. You should also check for any new or unexpected cookies. Notes * Users in Free and Pro plans only have access to script monitoring. * If you recently activated client-side resource monitoring, you may see a delay in reporting. ## Use the client-side resources dashboards To review the resources detected by Cloudflare: 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3314) * [ Old dashboard ](#tab-panel-3315) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Review the list of scripts, connections, and cookies for your domain, depending on your Cloudflare plan. To apply a filter, select **Add filter** and use one or more of the available options. Available filters * **Status**: Filter scripts or connections by [status](https://developers.cloudflare.com/client-side-security/reference/script-statuses/). * **Script URL**: Filter scripts by their URL. * **Connection URL**: Filter connections by their target URL. Depending on your [configuration](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details), it may search only by target hostname. * **Seen on host**: Look for scripts appearing on specific hostnames, or connections made in a specific hostname. * **Seen on page** (requires a Business or Enterprise plan): Look for scripts appearing in a specific page, or for connections made in a specific page. Searches the first page where the script was loaded (or where the connection was made) and the latest occurrences list. * **Type**: Filter cookies according to their type: first-party cookies or unknown. * Cookie property: Filter by a cookie property such as **Name**, **Domain**, **Path**, **Same site**, **HTTP only**, and **Secure**. 3. Depending on your plan, you may be able to [view the details of each item](#view-details). ## View all reported scripts or connections The All Reported Connections and All Reported Scripts dashboards show all the detected resources including infrequent or inactive ones, reported in the last 30 days. After 30 days without any report, Cloudflare will delete information about a previously reported resource, and it will no longer appear in any of the dashboards. 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3316) * [ Old dashboard ](#tab-panel-3317) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Select **Scripts** or **Connections**. 3. Select **View all scripts** or **View all connections**. 4. Review the information displayed in the dashboard. You can filter the data in these dashboards using different criteria, and print a report with the displayed records. ## View details Note Only available to customers on Business and Enterprise plans. 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3318) * [ Old dashboard ](#tab-panel-3319) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Select **Scripts**, **Connections**, or **Cookies** (the available options depend on your plan). 3. Next to a script, connection, or cookie in the list, select **Details**. Script and connection details * **Last seen**: How long ago the resource was last detected (in the last 30 days). * **First seen at**: The date and time when the resource was first detected. * **Seen on host**: The host where the script is being loaded or the connection is being made. * **Seen on pages**: The most recent pages where the resource was detected (up to 10 pages). * **First seen on**: The page where the resource was first detected. The script details also include the last 10 script versions detected by client-side security. Note The **Hash** value shown in the script details for each script version is an internal identifier. This differs from the file content hash defined by [Subresource Integrity (SRI) ↗](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource%5FIntegrity) that is required to be used in [content security rules](https://developers.cloudflare.com/client-side-security/rules/). Cookie details * **Type**: A cookie can have the following types: * **First-party**: Cookies set by the origin server through a `set-cookie` HTTP response header. * **Unknown**: All other detected cookies. * **Domain**: The value of the `Domain` cookie attribute. When not set or unknown, this value is derived from the host. * **Path**: The value of the `Path` cookie attribute. When not set or unknown, this value is derived from the most recent page where the cookie was detected. * **Last seen**: How long ago the resource was last detected (in the last 30 days). * **First seen at**: The date and time when the cookie was first detected. * **Seen on host**: The host where the cookie was first detected. * **Seen on pages**: The most recent pages where the cookie was detected (up to 10 pages). * Additional cookie attributes (only available with Client-Side Security Advanced): * **Max age**: The value of the `Max-Age` cookie attribute. * **Expires**: The value of the `Expires` cookie attribute. * **Lifetime**: The approximate cookie lifetime, based on the `Max-Age` and `Expires` cookie attributes. * **HTTP only**: The value of the `HttpOnly` cookie attribute. * **Secure**: The value of the `Secure` cookie attribute. * **Same site**: The value of the `SameSite` cookie attribute. Except for **Domain** and **Path**, [standard cookie attributes ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) are only available for first-party cookies, where Cloudflare detected the `set-cookie` HTTP response header in HTTP traffic. ## Export data Note Only available to customers with Client-Side Security Advanced. Use this feature to extract data for review and annotation. The data in the exported file will honor any filters you configure in the dashboard. To export script, connection, or cookie information in CSV format: 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3320) * [ Old dashboard ](#tab-panel-3321) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Select **Scripts**, **Connections**, or **Cookies**. 3. (Optional) Apply any filters to the displayed data. 4. Select **Download CSV**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/detection/","name":"Detection"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/detection/monitor-connections-scripts/","name":"Monitor resources and cookies"}}]} ``` --- --- title: Review changed scripts description: Learn how to review scripts on your domain after receiving a code change alert. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/detection/review-changed-scripts.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Review changed scripts Note Only available to customers with Client-Side Security Advanced. Cloudflare analyzes the JavaScript dependencies in the pages of your domain over time. You can configure a notification for [code change alerts](https://developers.cloudflare.com/client-side-security/alerts/alert-types/#code-change-alert) to receive a daily notification about changed scripts in your domain. When you receive such a notification: 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3322) * [ Old dashboard ](#tab-panel-3323) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Check the details of each changed script and validate if it is an expected change. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/detection/","name":"Detection"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/detection/review-changed-scripts/","name":"Review changed scripts"}}]} ``` --- --- title: Review resources considered malicious description: Learn how to review scripts and connections that Cloudflare's client-side security considered malicious. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/detection/review-malicious-scripts.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Review resources considered malicious Note Domain-based threat intelligence is available to all customers. Malicious code analysis and URL-based threat intelligence require Client-Side Security Advanced. Cloudflare displays scripts and connections considered malicious at the top of the dashboard lists, so that you can quickly identify those resources, review them, and take action. ## Review malicious scripts To review the scripts considered malicious: 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3324) * [ Old dashboard ](#tab-panel-3325) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Select the **Scripts** tab. 3. Select **Details** for each script considered malicious. The script details will contain: * **Malicious code analysis**: Scores between 1-99 classifying how malicious the current script version is, where 1 means definitely malicious and 99 means definitely not malicious. * **Threat intelligence**: Whether the script URL and/or domain is known to be malicious according to threat intelligence feeds. If the script is considered malicious according to the feeds, the dashboard will show a list of associated threat [categories](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/#malicious-script-and-connection-categories). If threat intelligence feeds do not have any information about the script URL or domain, the dashboard will show **Not present**. The script details also include the last 10 script versions detected by Cloudflare. Note The **Hash** value shown in the script details for each script version is an internal identifier. This differs from the file content hash defined by [Subresource Integrity (SRI) ↗](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource%5FIntegrity) that is required to be used in [content security rules](https://developers.cloudflare.com/client-side-security/rules/). For more information, refer to [Malicious script and connection detection](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). 4. Based on the displayed information, and with the help of the [last seen/first seen fields in the script details](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/#view-details), review and update the pages where the malicious script was detected. You can configure alerts for detected malicious scripts. Refer to [Alerts](https://developers.cloudflare.com/client-side-security/alerts/) for more information. ## Review malicious connections To review the connections considered malicious: 1. Go to the client-side resources page: * [ New dashboard ](#tab-panel-3326) * [ Old dashboard ](#tab-panel-3327) 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security**. 2. Select **Connections**. 3. Select **Details** for each connection considered malicious. The connection details will contain: * **URL match**: Whether the connection's target URL is known to be malicious according to threat intelligence feeds. This field requires that you configure client-side security to analyze the [full URI](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details) of outgoing connections. * **Domain match**: Whether the connection's target domain is known to be malicious according to threat intelligence feeds. * **Category**: The categorization of the connection considered malicious according to threat intelligence feeds. For more information, refer to [Malicious script and connection detection](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/). 4. Based on the displayed information, and with the help of the [last seen/first seen fields in the connection details](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/#view-details), review and update the pages where the malicious connection was detected. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/detection/","name":"Detection"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/detection/review-malicious-scripts/","name":"Review resources considered malicious"}}]} ``` --- --- title: Client-side security API description: You can enable and disable client-side security's resource monitoring, configure settings, and fetch information about detected scripts and connections using the client-side security API (formerly known as Page Shield API). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/reference/api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Client-side security API You can enable and disable client-side security's resource monitoring, configure settings, and fetch information about detected scripts and connections using the [client-side security API](https://developers.cloudflare.com/api/resources/page%5Fshield/methods/get/) (formerly known as Page Shield API). To authenticate API requests you need an [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/). For more information on the required API token permissions, refer to [Roles and permissions](https://developers.cloudflare.com/client-side-security/reference/roles-and-permissions/). Note Refer to [API deprecations](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/) for details on client-side security API changes. ## Endpoints You can obtain the complete endpoint by appending the [client-side security API](https://developers.cloudflare.com/api/resources/page%5Fshield/methods/get/) endpoints to the Cloudflare API base URL: ``` https://api.cloudflare.com/client/v4 ``` The `{zone_id}` argument is the zone ID (a hexadecimal string). You can find this value in the Cloudflare dashboard or using the Cloudflare API's [/zones endpoint](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). The `{script_id}` argument is the script ID (a hexadecimal string). This value is included in the response of the [List client-side security scripts](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/scripts/methods/list/) operation for every detected script. The `{connection_id}` argument is the connection ID (a hexadecimal string). This value is included in the response of the List client-side security connections API operation for every detected connection. The following table summarizes the available operations: | Operation | Method + URL stub | Notes | | --------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | ---------------------------------------------------------------- | | [Get client-side security settings](https://developers.cloudflare.com/api/resources/page%5Fshield/methods/get/) | GET zones/{zone\_id}/page\_shield | Fetch client-side security settings (including the status). | | [Update client-side security settings](https://developers.cloudflare.com/api/resources/page%5Fshield/methods/update/) | PUT zones/{zone\_id}/page\_shield | Update client-side security settings. | | [List client-side security scripts](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/scripts/methods/list/) | GET zones/{zone\_id}/page\_shield/scripts | Fetch a list of detected scripts. | | [Get a client-side security script](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/scripts/methods/get/) | GET zones/{zone\_id}/page\_shield/scripts/{script\_id} | Fetch the details of a script. | | [List client-side security connections](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/connections/methods/list/) | GET zones/{zone\_id}/page\_shield/connections | Fetch a list of detected connections. | | [Get a client-side security connection](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/connections/methods/get/) | GET zones/{zone\_id}/page\_shield/connections/{connection\_id} | Fetch the details of a connection. | | [List client-side security cookies](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/cookies/methods/list/) | GET zones/{zone\_id}/page\_shield/cookies | Fetch a list of detected cookies. | | [Get a client-side security cookie](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/cookies/methods/get/) | GET zones/{zone\_id}/page\_shield/cookies/{cookie\_id} | Fetch the details of a cookie. | | [List content security rules](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/policies/methods/list/) | GET zones/{zone\_id}/page\_shield/policies | Fetch a list of all configured content security rules. | | [Get a content security rule](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/policies/methods/get/) | GET zones/{zone\_id}/page\_shield/policies/{policy\_id} | Fetch the details of a content security rule. | | [Create a content security rule](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/policies/methods/create/) | POST zones/{zone\_id}/page\_shield/policies | Creates a content security rule with the provided configuration. | | [Update a content security rule](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/policies/methods/update/) | PUT zones/{zone\_id}/page\_shield/policies/{policy\_id} | Updates an existing content security rule. | | [Delete a content security rule](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/policies/methods/delete/) | DELETE zones/{zone\_id}/page\_shield/policies/{policy\_id} | Deletes an existing content security rule. | ## API notes The malicious script classification (`Malicious` or `Not malicious`) is not directly available in the API. To determine this classification, compare the script's `js_integrity_score` value with the classification threshold, which is currently set to 10\. Scripts with a score value lower than the threshold are considered malicious. ## Common API calls ### Get client-side security settings This example obtains the current settings of Cloudflare's client-side security, including the status (enabled/disabled). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` Get Page Shield settings ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": { "enabled": true, "updated_at": "2023-05-14T11:47:55.677555Z", "use_cloudflare_reporting_endpoint": true, "use_connection_url_path": false }, "success": true, "errors": [], "messages": [] } ``` ### Enable client-side security This example enables Cloudflare's client-side security in the specified zone. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield` * `Zone Settings Write` Update Page Shield settings ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield" \ --request PUT \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "enabled": true }' ``` ``` { "result": { "enabled": true, "updated_at": "2023-05-14T11:50:41.756996Z" }, "success": true, "errors": [], "messages": [] } ``` ### Fetch list of detected scripts This `GET` request fetches a list of scripts detected by Cloudflare's client-side security on hostname `example.net`, requesting the first page with 15 items per page. The URL query string includes filtering and paging parameters. By default, the response will only include scripts with `active` status when you do not specify a `status` filter parameter in the URL query string. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` List Page Shield scripts ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/scripts?hosts=example.net&page=1&per_page=15" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": [ { "id": "8337233faec2357ff84465a919534e4d", "url": "https://malicious.example.com/badscript.js", "added_at": "2023-05-18T10:51:10.09615Z", "first_seen_at": "2023-05-18T10:51:08Z", "last_seen_at": "2023-05-22T09:57:54Z", "host": "example.net", "domain_reported_malicious": false, "url_reported_malicious": true, "malicious_url_categories": ["Malware"], "first_page_url": "http://malicious.example.com/page_one.html", "status": "active", "url_contains_cdn_cgi_path": false, "hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "js_integrity_score": 10, "obfuscation_score": 10, "dataflow_score": 8, "malware_score": 8, "cryptomining_score": 9, "magecart_score": 8, "fetched_at": "2023-05-21T16:58:07Z" } // (...) ], "success": true, "errors": [], "messages": [], "result_info": { "page": 1, "per_page": 15, "count": 15, "total_count": 24, "total_pages": 2 } } ``` Some fields displayed in the example response may not be available, depending on your Cloudflare plan. For details on the available filtering, paging, and sorting parameters, refer to the [API reference](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/scripts/methods/list/). ### Fetch list of infrequently reported scripts This `GET` request fetches a list of infrequently reported scripts on hostname `example.net`, requesting the first page with 15 items per page. The URL query string includes filtering and paging parameters. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` List Page Shield scripts ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/scripts?hosts=example.net&page=1&per_page=15&status=infrequent" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": [ { "id": "83c8da2267394ce8465b74c299658fea", "url": "https://scripts.example.com/anotherbadscript.js", "added_at": "2023-05-17T13:16:03.419619Z", "first_seen_at": "2023-05-17T13:15:23Z", "last_seen_at": "2023-05-18T09:05:20Z", "host": "example.net", "domain_reported_malicious": false, "url_reported_malicious": false, "first_page_url": "http://malicious.example.com/page_one.html", "status": "infrequent", "url_contains_cdn_cgi_path": false, "hash": "9245aad577e846dd9b990b1b32425a3fae4aad8b8a28441a8b80084b6bb75a45", "js_integrity_score": 48, "obfuscation_score": 49, "dataflow_score": 45, "malware_score": 45, "cryptomining_score": 37, "magecart_score": 49, "fetched_at": "2023-05-18T03:58:07Z" } // (...) ], "success": true, "errors": [], "messages": [], "result_info": { "page": 1, "per_page": 15, "count": 15, "total_count": 17, "total_pages": 2 } } ``` Some fields displayed in the example response may not be available, depending on your Cloudflare plan. For details on the available filtering, paging, and sorting parameters, refer to the [API reference](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/scripts/methods/list/). ### Get details of a detected script This `GET` request obtains the details of a script detected by Cloudflare's client-side security with script ID `8337233faec2357ff84465a919534e4d`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` Get a Page Shield script ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/scripts/8337233faec2357ff84465a919534e4d" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": { "id": "8337233faec2357ff84465a919534e4d", "url": "https://malicious.example.com/badscript.js", "added_at": "2023-05-18T10:51:10.09615Z", "first_seen_at": "2023-05-18T10:51:08Z", "last_seen_at": "2023-05-22T09:57:54Z", "host": "example.net", "domain_reported_malicious": false, "url_reported_malicious": true, "malicious_url_categories": ["Malware"], "first_page_url": "http://malicious.example.com/page_one.html", "status": "active", "url_contains_cdn_cgi_path": false, "hash": "9245aad577e846dd9b990b1b32425a3fae4aad8b8a28441a8b80084b6bb75a45", "js_integrity_score": 48, "obfuscation_score": 49, "dataflow_score": 45, "malware_score": 42, "cryptomining_score": 32, "magecart_score": 44, "fetched_at": "2023-05-21T16:58:07Z", "page_urls": [ "http://malicious.example.com/page_two.html", "http://malicious.example.com/page_three.html", "http://malicious.example.com/page_four.html" ], "versions": [ { "hash": "9245aad577e846dd9b990b1b32425a3fae4aad8b8a28441a8b80084b6bb75a45", "js_integrity_score": 48, "obfuscation_score": 49, "dataflow_score": 45, "malware_score": 42, "cryptomining_score": 32, "magecart_score": 44, "fetched_at": "2023-05-21T16:58:07Z" } ] }, "success": true, "errors": [], "messages": [] } ``` Some fields displayed in the example response may not be available, depending on your Cloudflare plan. ### Fetch list of detected connections This `GET` request fetches a list of connections detected by Cloudflare's client-side security, requesting the first page with 15 items per page. By default, the response will only include connections with `active` status when you do not specify a `status` filter parameter in the URL query string. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` List Page Shield connections ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/connections?page=1&per_page=15" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": [ { "id": "0a7bb628776f4e50a50d8594c4a01740", "url": "https://malicious.example.com", "added_at": "2022-09-18T10:51:10.09615Z", "first_seen_at": "2022-09-18T10:51:08Z", "last_seen_at": "2022-09-02T09:57:54Z", "host": "example.net", "domain_reported_malicious": true, "malicious_domain_categories": ["Malware", "Spyware"], "url_reported_malicious": false, "malicious_url_categories": [], "first_page_url": "https://example.net/one.html", "status": "active", "url_contains_cdn_cgi_path": false } // (...) ], "success": true, "errors": [], "messages": [], "result_info": { "page": 1, "per_page": 15, "count": 15, "total_count": 16, "total_pages": 2 } } ``` For details on the available filtering, paging, and sorting parameters, refer to the [API reference](https://developers.cloudflare.com/api/resources/page%5Fshield/subresources/scripts/methods/list/). ### Get details of a detected connection This `GET` request obtains the details of a connection detected by Cloudflare's client-side security with connection ID `0a7bb628776f4e50a50d8594c4a01740`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` Get a Page Shield connection ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/connections/0a7bb628776f4e50a50d8594c4a01740" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": { "id": "0a7bb628776f4e50a50d8594c4a01740", "url": "https://malicious.example.com", "added_at": "2022-09-18T10:51:10.09615Z", "first_seen_at": "2022-09-18T10:51:08Z", "last_seen_at": "2022-09-02T09:57:54Z", "host": "example.net", "domain_reported_malicious": true, "malicious_domain_categories": ["Malware", "Spyware"], "url_reported_malicious": false, "malicious_url_categories": [], "first_page_url": "https://example.net/one.html", "status": "active", "url_contains_cdn_cgi_path": false }, "success": true, "errors": [], "messages": [] } ``` ### Fetch list of detected cookies This `GET` request fetches a list of cookies detected by Cloudflare's client-side security, requesting the first page with 15 items per page. By default, the response will only include cookies with `active` status when you do not specify a `status` filter parameter in the URL query string. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` List Page Shield Cookies ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/cookies?page=1&per_page=15" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": [ { "id": "beee03ada7e047e79f076785d8cd8b8e", "type": "first_party", "name": "PHPSESSID", "host": "example.net", "domain_attribute": "example.net", "expires_attribute": "2024-10-21T12:28:20Z", "http_only_attribute": true, "max_age_attribute": null, "path_attribute": "/store", "same_site_attribute": "strict", "secure_attribute": true, "first_seen_at": "2024-05-06T10:51:08Z", "last_seen_at": "2024-05-07T11:56:01Z", "first_page_url": "example.net/store/products", "page_urls": ["example.net/store/products/1"] } // (...) ], "success": true, "errors": [], "messages": [], "result_info": { "page": 1, "per_page": 15, "count": 15, "total_count": 16, "total_pages": 2 } } ``` For details on the available filtering, paging, and sorting parameters, refer to [Make API calls](https://developers.cloudflare.com/fundamentals/api/how-to/make-api-calls/#pagination). ### Get details of a detected cookie This `GET` request obtains the details of a cookie detected by Cloudflare's client-side security with ID `beee03ada7e047e79f076785d8cd8b8e`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield Read` * `Domain Page Shield` * `Page Shield Read` * `Zone Settings Write` * `Zone Settings Read` Get a Page Shield cookie ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/cookies/beee03ada7e047e79f076785d8cd8b8e" \ --request GET \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ``` { "result": { "id": "beee03ada7e047e79f076785d8cd8b8e", "type": "first_party", "name": "PHPSESSID", "host": "example.net", "domain_attribute": "example.net", "expires_attribute": "2024-10-21T12:28:20Z", "http_only_attribute": true, "max_age_attribute": null, "path_attribute": "/store", "same_site_attribute": "strict", "secure_attribute": true, "first_seen_at": "2024-05-06T10:51:08Z", "last_seen_at": "2024-05-07T11:56:01Z", "first_page_url": "example.net/store/products", "page_urls": ["example.net/store/products/1"] }, "success": true, "errors": [], "messages": [] } ``` ### Create a content security rule This `POST` request creates a content security rule (previously called a policy) with _Log_ action, defining the following scripts as allowed based on where they are hosted: * Scripts hosted in `myapp.example.com` (which does not include scripts in `example.com`). * Scripts hosted in `cdnjs.cloudflare.com`. * The Google Analytics script using its full URL. * All scripts in the same origin (same HTTP or HTTPS scheme and hostname). All other scripts would trigger a rule violation, but those scripts would not be blocked. For more information on Content Security Policy (CSP) directives and values, refer to the [MDN documentation ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy). Note For a list of CSP directives and keywords supported by content security rules, refer to [Supported CSP directives](https://developers.cloudflare.com/client-side-security/rules/csp-directives/). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Page Shield` * `Domain Page Shield` * `Zone Settings Write` Create a Page Shield policy ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/page_shield/policies" \ --request POST \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "description": "My first content security rule in log mode", "action": "log", "expression": "http.host eq \"myapp.example.com\"", "enabled": "true", "value": "script-src myapp.example.com cdnjs.cloudflare.com https://www.google-analytics.com/analytics.js '\''self'\''" }' ``` ``` { "success": true, "errors": [], "messages": [], "result": { "id": "", "description": "My first content security rule in log mode", "action": "log", "expression": "http.host eq \"myapp.example.com\"", "enabled": "true", "value": "script-src myapp.example.com cdnjs.cloudflare.com https://www.google-analytics.com/analytics.js 'self'" } } ``` To create a content security rule with an _Allow_ action instead of _Log_, use `"action": "allow"` in the request body. In the case of such rule, all scripts not allowed by the rule would be blocked. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/reference/api/","name":"Client-side security API"}}]} ``` --- --- title: CSP HTTP header format description: The format of the Content Security Policy (CSP) report-only HTTP header added by Cloudflare is the following: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/reference/csp-header.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # CSP HTTP header format The format of the Content Security Policy (CSP) report-only HTTP header added by Cloudflare is the following: ``` content-security-policy-report-only: script-src 'unsafe-inline' 'unsafe-eval'; connect-src 'none'; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report? ``` If you [configured the reporting endpoint](https://developers.cloudflare.com/client-side-security/reference/settings/#reporting-endpoint) to use the same hostname, the HTTP header will have the following format: ``` content-security-policy-report-only: script-src 'unsafe-inline' 'unsafe-eval'; connect-src 'none'; report-uri /cdn-cgi/script_monitor/report? ``` Notes Cloudflare adds the CSP report-only HTTP header used to monitor webpage resources to a sample of sent responses. Configuring [log rules](https://developers.cloudflare.com/client-side-security/rules/) will add other CSP report-only headers to responses. Cloudflare does not perform any sampling for these report-only headers related to customer-defined content security rules. ## Related resources * [Mozilla Developer Network's (MDN) documentation on Content-Security-Policy-Report-Only ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy-Report-Only) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/reference/csp-header/","name":"CSP HTTP header format"}}]} ``` --- --- title: Client-side security and PCI DSS compliance description: You can use Cloudflare's client-side security for PCI DSS v4's client-side security requirements (items 6.4.3 and 11.6.1). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/reference/pci-dss.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Client-side security and PCI DSS compliance You can use Cloudflare's client-side security for PCI DSS v4's client-side security requirements (items 6.4.3 and 11.6.1). Refer to the [PCI DSS v.4.0 Evaluation ↗](https://cfl.re/4dhk8Gx) whitepaper for details on how you can use Cloudflare's client-side security to meet the new v4 requirements. Note To help with PCI DSS requirements, you must have Client-Side Security Advanced. Refer to [Availability](https://developers.cloudflare.com/client-side-security/#availability) for details on what is included in each package. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/reference/pci-dss/","name":"Client-side security and PCI DSS compliance"}}]} ``` --- --- title: Roles and permissions description: User roles and API token permissions required to access and configure client-side security. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/reference/roles-and-permissions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Roles and permissions Cloudflare users with the following [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) have access to client-side security in the Cloudflare dashboard: * Administrator * Super Administrator - All Privileges * Page Shield * Page Shield Read _(read-only access)_ * Domain Page Shield * Domain Page Shield Read _(read-only access)_ The availability of specific features depends on your client-side security bundle. Refer to [Availability](https://developers.cloudflare.com/client-side-security/#availability) for more information. ## API token permissions To interact with the [client-side security API](https://developers.cloudflare.com/client-side-security/reference/api/) you need an API token with one of the following [permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/): * [ Dashboard ](#tab-panel-3336) * [ API ](#tab-panel-3337) * Client-side security > Edit * Client-side security > Read _(read-only access)_ * Page Shield Write * Page Shield Read _(read-only access)_ ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/reference/roles-and-permissions/","name":"Roles and permissions"}}]} ``` --- --- title: Script and connection statuses description: Cloudflare classifies scripts and connections (also known as resources) according to the following: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/reference/script-statuses.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Script and connection statuses Cloudflare classifies scripts and connections (also known as resources) according to the following: * The number of times a script/connection was reported. * Whether the script/connection is considered malicious or not. Use client-side security's dashboards to review the scripts loaded in your domain and the connections they make. For more information, refer to [Monitor resources and cookies](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/). ## Available statuses * **Infrequent**: There are less than three reports for the script/connection. If there are no reports for a script/connection with _Infrequent_ status for five days, then Cloudflare will delete all the information about the script/connection. Scripts with _Infrequent_ status appear only in the All Reported Scripts dashboard, and connections with _Infrequent_ status appear only in the All Reported Connections dashboard. * **Active**: There are more than three reports for the script/connection. * **Inactive**: A previously active script/connection was not reported in the last seven days. If the script/connection is reported again later, its status will change back to _Active_. If the script/connection is not reported for 30 days, Cloudflare will delete all the information about it. Scripts with _Inactive_ status appear only in the All Reported Scripts dashboard, and connections with _Inactive_ status appear only in the All Reported Connections dashboard. Note All scripts and connections considered malicious will appear in the Monitors dashboard, regardless of their status. Malicious script detection is only available to customers with Client-Side Security Advanced. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/reference/script-statuses/","name":"Script and connection statuses"}}]} ``` --- --- title: Configuration settings description: When enabled, client-side security's resource monitoring uses a Content Security Policy (CSP) report-only HTTP header to gather information about all the scripts running on your application. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/client-side-security/reference/settings.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Configuration settings ## Reporting endpoint When enabled, client-side security's resource monitoring uses a Content Security Policy (CSP) [report-only HTTP header](https://developers.cloudflare.com/client-side-security/reference/csp-header/) to gather information about all the scripts running on your application. By default, reports are sent to a Cloudflare-owned endpoint: ``` https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report? ``` Customers with Client-Side Security Advanced can change the reporting endpoint so that the CSP reports are sent to the same hostname: ``` /cdn-cgi/script-monitor/report? ``` ### Prerequisites for using the same hostname for CSP reports Using the same hostname for CSP reporting may interfere with other Cloudflare products. Before selecting this option, ensure that your Cloudflare configuration complies with the following: * No rate limiting rules match the `cdn-cgi/*` URL path * No custom rules match the `cdn-cgi/*` URL path ### Configure the reporting endpoint Note Only available to customers with Client-Side Security Advanced. To configure the CSP reporting endpoint: * [ New dashboard ](#tab-panel-3340) * [ Old dashboard ](#tab-panel-3341) 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. (Optional) Filter by **Client-side abuse**. 3. Under **Continuous script monitoring** \> **Configurations**, select the edit icon next to **Reporting endpoint**. 4. Select **Cloudflare-owned endpoint** or **Same hostname**. 5. Select **Save**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security** \> **Settings**. 3. Under **Reporting endpoint**, select **Cloudflare-owned endpoint** or **Same hostname**. 4. Select **Apply settings**. ## Connection target details When connection targets are reported to Cloudflare, their URIs can sometimes include sensitive data such as session ID. By default, client-side security only checks the domain against malicious threat intelligence feeds. You can choose to let Cloudflare use the full URI when analyzing the connections made from your domain's pages. Any sensitive data present in the URI will be logged in clear text, and any user with access to the connection monitor dashboard will be able to view it. ### Configure the connection target details to use * [ New dashboard ](#tab-panel-3342) * [ Old dashboard ](#tab-panel-3343) 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. (Optional) Filter by **Client-side abuse**. 3. Under **Continuous script monitoring** \> **Configurations**, select the edit icon next to **Data processing**. 4. Select **Log host only** to analyze only the hostname or **Log full URI** to use the full URI. 5. Select **Save**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security** \> **Settings**. 3. Under **Connection target details**, select **Log host only** to analyze only the hostname or **Log full URI** to use the full URI in client-side security. 4. Select **Apply settings**. ## Turn off client-side resource monitoring When you turn off client-side security's resource monitoring, you lose visibility on the scripts running on your zone, the outbound connections made from pages in your domain, and cookies detected in HTTP traffic. To turn off client-side resource monitoring: * [ New dashboard ](#tab-panel-3344) * [ Old dashboard ](#tab-panel-3345) 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. (Optional) Filter by **Client-side abuse**. 3. Next to **Continuous script monitoring**, set the toggle to **Off**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Client-side security** \> **Settings**. 3. In **Continuous monitoring and alerting**, select **Disable**. Turning off client-side security's resource monitoring does not turn off [content security rules](https://developers.cloudflare.com/client-side-security/rules/) (previously known as policies). To turn off content security rules: * [ New dashboard ](#tab-panel-3338) * [ Old dashboard ](#tab-panel-3339) 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. (Optional) Filter by **Content security rules**. 3. For each rule, select the three dots next to it > **Disable**. 1. Go to **Security** \> **Client-side security** \> **Rules**. 2. For each rule, set the toggle to **Off**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/reference/settings/","name":"Configuration settings"}}]} ```