Client-Side Security

Client-Side Security: What It Is, Why It Matters, and How to Get It Right

Most security programs cover what you deploy — not what actually runs in your users' browsers. This is the gap, why it matters, and what client-side security actually requires.

The Problem

The gap that most website security programs don't cover

Your website loads code you didn't write. Tag managers, analytics libraries, payment widgets, A/B testing scripts, chat widgets — every one of them executes in your users' browsers with the same privileges as your own code. And most of them can change at any time without you knowing.

Your security program covers what you deploy. It doesn't cover what actually executes once the page loads.

This isn't a theoretical concern. In early 2026, Report URI tracked a live Magecart campaign targeting e-commerce sites with per-victim payloads, admin-detection evasion, and anti-debugging logic — all running silently in the browser while the sites appeared to work normally. The attackers didn't need to compromise the server in a traditional sense. They needed JavaScript execution in the browser, because that's where the payment data lives.

In a separate incident, a single support ticket containing a stored XSS payload was enough to compromise a learning platform used by 275 million students. The attack chain was entirely client-side: malicious code executed in an employee's authenticated browser session, giving the attacker API access across the entire infrastructure.

These aren't edge cases; they're a pattern. And the reason they work is that most security programs still treat the browser as a display layer rather than an execution environment.

The Definition

What is client-side security?

Client-side security is the discipline of knowing, controlling, and proving what code executes in your users' browsers. It covers three things: visibility into what actually runs on your web pages, control over what is allowed to execute, and auditable proof that your policies are being enforced.

What it is not

Client-side security is not a replacement for server-side security, application security testing, or network defences. It doesn't cover vulnerabilities in your own code — that's what SAST, DAST, and code review are for. It doesn't replace your WAF. It doesn't replace your SIEM.

It's the layer that addresses the gap those tools leave open: what happens in the browser after the page loads, when third-party code runs alongside yours and can change, break, or behave unexpectedly at any time.

Client-side security is It isn't
Visibility into every script that executes A replacement for secure coding
Control over what's allowed to run Another WAF or edge filter
Proof of what ran, changed, and was blocked A point-in-time scan
A browser-layer defence Server-side log monitoring
The Shift

Why the browser became an attack surface

Modern websites don't just serve HTML. They assemble themselves in the browser from dozens of sources. A typical e-commerce checkout page might load scripts from a tag manager, an analytics provider, a payment processor, a fraud detection service, a chat widget, and several marketing tools. Each of those scripts can load additional dependencies. Each dependency can change without notice. And every one of them executes with full access to the page DOM — the same access your own code has.

This is a third-party script problem. You approved the tag manager. You didn't approve everything it loaded. The attack surface this creates has a few characteristics that make it different from traditional server-side risk.

The code changes without a deployment

A third-party script that was safe last week can be compromised this week. The Polyfill.io supply chain attack demonstrated this at scale — a widely trusted JavaScript CDN changed ownership, and the new operators began serving malware to every site that still loaded it. Nothing changed in the site owners' deployment pipelines. The risk arrived through a dependency they'd long since stopped thinking about.

Attackers target this layer deliberately

When our founder, Scott Helme, analysed a compromised WooCommerce site, the attackers had enough server access to modify files on disk. They chose to inject client-side JavaScript instead — because the payment card data they wanted to steal only existed in the browser, not on the server. This is a deliberate tactical choice, and it's one that server-side monitoring will never see.

The attack surface extends beyond your supply chain

Malicious browser extensions can inject JavaScript into your pages without compromising your site or your vendors. Report URI detected a Chrome extension called “Amazing Refresh” that injected scripts into customer websites, hijacking outbound clicks through affiliate infrastructure. The site itself was clean. The code executing on the page was not.

The Gap in Existing Tools

What your existing stack misses

If you have a WAF, a SIEM, endpoint protection, and a vulnerability management program, you have a security stack. But none of those tools were built to answer the question: what is actually executing in the browser right now?

WAFs protect the server, not the browser

A WAF inspects requests to your origin. It can't see what a third-party script does after the page loads. Magecart-style attacks that skim payment data from the browser never touch your server in a way that triggers a WAF rule. The exfiltration goes directly from the user's browser to attacker-controlled infrastructure.

SIEMs aggregate server-side logs

They're excellent at correlating events across your infrastructure. They have no visibility into client-side script behaviour, DOM manipulation, or data exfiltration that happens entirely within the browser context.

Static CSP is a starting point, not a solution

Content Security Policy is a browser-native standard that controls which sources can load scripts on your pages. It's valuable — but a CSP header you deployed six months ago and haven't actively managed since doesn't reflect what's executing today. And CSP without violation monitoring is a policy you can't prove is working. Our research on live Magecart campaigns has documented skimmers that detect CSP enforcement and adapt — changing their exfiltration method from network requests to page redirects to work around the policy. CSP narrows the attacker's options. It doesn't eliminate them without active monitoring and enforcement.

Vulnerability scanning checks your code, not your dependencies at runtime

SAST and DAST tools find vulnerabilities in the code you wrote. They don't monitor whether a third-party script you loaded last year has started behaving differently this week.

The result is a blind spot. You have tools that cover the server, network, endpoint, and application code. You don't have a tool covering what code is actually running on your web pages in your users' browsers. That's what client-side security addresses. See how CSP reporting closes the gap between policy and proof →

The Essentials

The three things client-side security requires

Client-side security isn't a feature. It's a capability that requires three things working together. Miss any one and the layer doesn't hold.

Visibility

You need to know what code is executing on your pages. Not what you intended to load — what actually ran. This means continuous monitoring of scripts, their sources, their behaviour, and any changes to them. Our team has documented skimmers that use admin-detection, anti-debugging, and DOM self-removal techniques specifically designed to stay invisible to anyone who isn't watching the browser layer continuously. If you're relying on periodic manual checks, you're seeing what the attacker wants you to see. See how Script Watch monitors your JavaScript →

Control

Visibility without the ability to act on it is just a dashboard you'll stop checking. Client-side security requires the ability to define what is allowed to execute — and enforce that definition. This means policy-based control: deciding what scripts, sources, and behaviours are authorised, and having a mechanism that enforces those decisions at the point of execution in the browser.

Proof

Knowing what ran and controlling what's allowed isn't enough if you can't demonstrate it. Auditors, leadership, and regulators increasingly require evidence — not assertions — that your security controls are working. Client-side security produces auditable records of what executed, what was blocked, what changed, and when.

The Threats

The threats this layer addresses

Client-side security isn't solving a theoretical problem. It addresses specific, documented attack patterns that are actively used against organisations of all sizes. These attacks share a common trait: they execute in the browser, where server-side defences can't see them.

Magecart and formjacking

Attackers inject malicious JavaScript into web pages — typically checkout or payment pages — to capture payment card data, personal information, and credentials as users enter them. The stolen data is exfiltrated directly from the browser to attacker-controlled infrastructure. The website continues to function normally. The server logs show nothing. Our founder, Scott Helme, has documented live campaigns where the skimmer validated card numbers using the Luhn algorithm before exfiltrating, tracked previously stolen cards in localStorage to avoid duplicates, and communicated over encrypted WebSocket connections to evade network-level inspection. The European Space Agency's web store, WooCommerce sites, and Magento installations have all been hit by variants of this attack in the past year alone. Detecting Magecart and formjacking attacks →

Script tampering and supply chain compromise

A trusted third-party script changes — either because the vendor was compromised, the CDN was taken over, or the script was modified in transit. The Polyfill.io incident is the canonical example: millions of sites were loading JavaScript from a domain that was sold to a new owner, who then used it to distribute malware. But supply chain compromise doesn't require a headline-worthy event. A single modified analytics script or a compromised tag manager dependency can introduce risk just as effectively.

Post-authentication session attacks

Authentication is getting stronger — passwords, MFA, passkeys. But once the user is logged in, the session is typically maintained by a cookie. A stolen session cookie bypasses every authentication control. And cross-site scripting in a passkey-protected environment is worse than it sounds: Our research demonstrated that a single XSS vulnerability can silently register an attacker-controlled passkey on a victim's account, creating a persistent backdoor that survives password resets and session revocations. What passkeys don't protect against →

XSS at scale

Cross-site scripting has been ranked the #1 most dangerous software weakness by MITRE and CISA for both 2024 and 2025. It's not a legacy vulnerability class — it's the most actively exploited category of web application flaw. CSP is one of the most effective mitigations, but only when deployed, monitored, and actively enforced. Preventing cross-site scripting with CSP →

Compliance

Where compliance fits in

PCI DSS 4.0.1 made client-side security a compliance requirement, not just a best practice. These requirements exist because of Magecart. The PCI Security Standards Council recognised that payment card skimming has moved to the browser, and that server-side controls alone can't address it.

Requirement 6.4.3

Every script executing on payment pages must be authorised, inventoried, and documented — with a mechanism to confirm that authorisation is maintained over time.

Requirement 11.6.1

Continuous detection of unauthorised modifications to payment page HTTP headers and scripts. Not quarterly. Not on a schedule. Continuously.

The gap most organisations face isn't awareness of the requirements — it's the difference between having a policy and being able to prove enforcement. A static script inventory in a spreadsheet satisfies the letter of 6.4.3 at the moment you create it. It doesn't reflect what's actually running on your payment pages a week later. A CSP header deployed without violation monitoring might be enforcing your policy — or it might be silently failing. You have no way to know without continuous monitoring and auditable evidence of what was allowed, what was blocked, and what changed.

A policy you can't prove is working isn't a control. It's a hope.

This is where client-side security intersects with compliance: not as a checkbox exercise, but as the operational capability that produces the evidence auditors actually require. How to meet PCI DSS 6.4.3 and 11.6.1 on your payment pages →

Evaluation

How to evaluate a client-side security approach

Not all approaches to client-side security are equal. Some solve the visibility problem but don't offer control. Some offer control but introduce new risk in the process. Here's what to look for — and what to avoid.

Does it show you what actually executes, or what it thinks should execute?

Static script inventories and simulated page scans don't reflect real runtime behaviour. The tool should monitor what's happening in real browsers — not what a crawler sees in a controlled environment.

Does it enforce policy, or just alert?

Detection is valuable. Control is the goal. A tool that tells you a suspicious script is running is less useful than one that lets you define what's allowed and enforces that definition at the point of execution.

Does it produce auditable evidence?

If you can't export a record of what ran, what was blocked, and what changed — with timestamps — you don't have the proof layer that compliance and leadership increasingly require.

Does it add code to your pages?

Some client-side security tools work by injecting their own JavaScript into your pages. That means they're protecting your site by adding another third-party script to it — exactly the kind of risk client-side security is supposed to address. If the tool's code breaks, misbehaves, or gets compromised, it's your site that pays the price.

Does it sit in your traffic path?

Tools that proxy your traffic or require agents create new dependencies and new points of failure. If the tool goes down, does your site go down with it?

Can you see value before you commit?

Client-side security shouldn't require a multi-week implementation project before you see anything useful. The best approaches deliver immediate visibility and let you build toward enforcement at your own pace.

Report URI works through browser-native standards — primarily Content Security Policy and the Reporting API. Nothing executes on your pages on Report URI's behalf: no agent, no proxy, no injected code, and no performance impact. Your site functions normally even if Report URI is unavailable, and setup takes minutes.

See what's actually running on your website.

One header. No infrastructure changes. See everything before you enforce anything.