Script Watch

JavaScript security starts with knowing what changed

Script Watch monitors every JavaScript dependency loading on your site and alerts you when something is added, removed, or modified. Continuous script inventory and change detection built on real browser data.

What's at Stake

You approved those scripts once. They've changed since then.

Every third-party script on your site is a dependency you don't control. Tag managers load scripts that load other scripts. Analytics libraries update without notice. CDN-hosted dependencies get modified upstream. A script you approved last quarter isn't necessarily the same script running today. Most teams don't know when a dependency changes — they find out when something breaks, when an auditor asks, or when a customer's payment data shows up somewhere it shouldn't.

Silent Updates

Scripts change without notification

Third-party vendors update their code on their own schedule. A script loaded from an external CDN can change between page loads. Unless you're monitoring for it, the change is invisible.

Unapproved Scripts

New scripts appear without approval

Tag managers, ad networks, and third-party widgets routinely load additional scripts — dependencies of dependencies. A single approved tag can introduce scripts your team has never reviewed.

Audit Gaps

Point-in-time audits miss what happens between audits

A manual script inventory tells you what was running when you checked. It doesn't tell you what changed an hour later. The gap between audits is where unauthorised modifications go undetected.

What Script Watch Does

Continuous JavaScript inventory and change detection

Script Watch maintains a live inventory of every JavaScript resource loading on your site and monitors it continuously. When something changes, you know about it.

Script Inventory

Every JavaScript dependency, catalogued automatically

Script Watch builds and maintains a complete inventory of every script loading across your site — first-party and third-party, direct and transitive. You see each script's source, when it was first observed, when it was last seen, and how frequently it loads. No manual cataloguing. No spreadsheets.

Change Detection

Alerted the moment a dependency is added, removed, or modified

When a new script appears, an existing script is modified, or a previously seen script disappears, Script Watch flags the change and notifies you. You see what changed, when it changed, and where on your site it was observed.

Dependency Mapping

See what loads what

Third-party scripts frequently load additional scripts — subdependencies your team never directly approved. Script Watch maps the full dependency chain so you can see not just what's on your site, but how it got there.

Detection

Every change, logged with context

Script Watch doesn't generate a firehose of alerts. It identifies distinct, actionable changes to your JavaScript dependencies — each logged with timestamps, the affected pages, and the script's position in the dependency chain.

Change type What it means
New script detected A JavaScript resource is loading on your site that wasn't there before
Script modified A previously inventoried script has changed — different content from the same source
Script removed A previously observed script is no longer loading
New subdependency A script you already track has started loading an additional script
Source change A script is now loading from a different origin than previously observed

This is the difference between “something changed” and knowing exactly what changed, when, and where.

Architecture

Browser-native monitoring. No agents. No crawlers.

Script Watch uses CSP reporting to observe what JavaScript actually loads in your users' browsers. The data comes from real sessions — not from a crawler hitting your pages on a schedule and missing what only loads for authenticated users, specific regions, or certain device types.

You don't need a full CSP to get started. Script Watch works with a minimal report-only header. Add it and script inventory begins populating from your first visitor.

Minimal setup — no existing CSP
Content-Security-Policy-Report-Only: script-src 'self';
  report-uri https://your-subdomain.report-uri.com/r/d/csp/reportOnly

Already have CSP deployed? Add your Report URI endpoint to your existing header's report-uri directive and Script Watch starts populating from your CSP violation and enforcement data automatically.

No JavaScript agent added to your pages

No crawler simulating page loads

Data from real browser sessions, across real users

Your site's performance is unaffected

Catches scripts that only load under specific conditions — authenticated sessions, geo-targeted content, A/B tests

PCI DSS 6.4.3

Script Watch and PCI DSS compliance

PCI DSS 4.0.1 Requirement 6.4.3 mandates that every script on your payment pages is authorised, inventoried, and documented — continuously, not just at audit time. Script Watch produces the continuous script inventory and change detection log that this requirement demands. New scripts are flagged. Changes to existing scripts are recorded. The full history is exportable for your QSA.

This isn't the complete PCI story — Requirement 11.6.1 and the broader compliance evidence layer are covered on the PCI DSS Compliance page. But 6.4.3 starts here.

Get Started

See every script on your site. Know when they change.

One header. No agents. Script inventory starts populating from your first visitor.

30-day free trial  ·  One header  ·  No agents  ·  PCI DSS 4.0.1 ready

Scope

One layer in the stack. Here's how it fits.

Script Watch tells you what JavaScript is on your site and when it changes. It doesn't determine whether a script is malicious, and it doesn't block anything from loading. It's the inventory and change detection layer — not the enforcement or threat analysis layer.

Script Watch does Pairs with
Continuous script inventory CSP for policy enforcement — controlling what's allowed to load
Change detection and alerting Threat Intelligence for IoC matching — identifying whether a script is known malicious
Dependency chain mapping Data Watch for exfiltration monitoring — seeing where your pages send data
Historical audit trail Policy Watch for CSP integrity — detecting changes to your security policy itself

Together, these form the client-side security visibility layer that sits between your CSP policy and your incident response process.