Script Watch monitors every JavaScript dependency loading on your site and alerts you when something is added, removed, or modified. Continuous script inventory and change detection built on real browser data.
Every third-party script on your site is a dependency you don't control. Tag managers load scripts that load other scripts. Analytics libraries update without notice. CDN-hosted dependencies get modified upstream. A script you approved last quarter isn't necessarily the same script running today. Most teams don't know when a dependency changes — they find out when something breaks, when an auditor asks, or when a customer's payment data shows up somewhere it shouldn't.
Third-party vendors update their code on their own schedule. A script loaded from an external CDN can change between page loads. Unless you're monitoring for it, the change is invisible.
Tag managers, ad networks, and third-party widgets routinely load additional scripts — dependencies of dependencies. A single approved tag can introduce scripts your team has never reviewed.
A manual script inventory tells you what was running when you checked. It doesn't tell you what changed an hour later. The gap between audits is where unauthorised modifications go undetected.
Script Watch maintains a live inventory of every JavaScript resource loading on your site and monitors it continuously. When something changes, you know about it.
Script Watch builds and maintains a complete inventory of every script loading across your site — first-party and third-party, direct and transitive. You see each script's source, when it was first observed, when it was last seen, and how frequently it loads. No manual cataloguing. No spreadsheets.
When a new script appears, an existing script is modified, or a previously seen script disappears, Script Watch flags the change and notifies you. You see what changed, when it changed, and where on your site it was observed.
Third-party scripts frequently load additional scripts — subdependencies your team never directly approved. Script Watch maps the full dependency chain so you can see not just what's on your site, but how it got there.
Script Watch doesn't generate a firehose of alerts. It identifies distinct, actionable changes to your JavaScript dependencies — each logged with timestamps, the affected pages, and the script's position in the dependency chain.
| Change type | What it means |
|---|---|
| New script detected | A JavaScript resource is loading on your site that wasn't there before |
| Script modified | A previously inventoried script has changed — different content from the same source |
| Script removed | A previously observed script is no longer loading |
| New subdependency | A script you already track has started loading an additional script |
| Source change | A script is now loading from a different origin than previously observed |
This is the difference between “something changed” and knowing exactly what changed, when, and where.
Script Watch uses CSP reporting to observe what JavaScript actually loads in your users' browsers. The data comes from real sessions — not from a crawler hitting your pages on a schedule and missing what only loads for authenticated users, specific regions, or certain device types.
You don't need a full CSP to get started. Script Watch works with a minimal report-only header. Add it and script inventory begins populating from your first visitor.
Content-Security-Policy-Report-Only: script-src 'self';
report-uri https://your-subdomain.report-uri.com/r/d/csp/reportOnly
Already have CSP deployed? Add your Report URI endpoint to your existing header's report-uri directive and Script Watch starts populating from your CSP violation and enforcement data automatically.
PCI DSS 4.0.1 Requirement 6.4.3 mandates that every script on your payment pages is authorised, inventoried, and documented — continuously, not just at audit time. Script Watch produces the continuous script inventory and change detection log that this requirement demands. New scripts are flagged. Changes to existing scripts are recorded. The full history is exportable for your QSA.
This isn't the complete PCI story — Requirement 11.6.1 and the broader compliance evidence layer are covered on the PCI DSS Compliance page. But 6.4.3 starts here.
One header. No agents. Script inventory starts populating from your first visitor.
30-day free trial · One header · No agents · PCI DSS 4.0.1 ready
Script Watch tells you what JavaScript is on your site and when it changes. It doesn't determine whether a script is malicious, and it doesn't block anything from loading. It's the inventory and change detection layer — not the enforcement or threat analysis layer.
| Script Watch does | Pairs with |
|---|---|
| Continuous script inventory | CSP for policy enforcement — controlling what's allowed to load |
| Change detection and alerting | Threat Intelligence for IoC matching — identifying whether a script is known malicious |
| Dependency chain mapping | Data Watch for exfiltration monitoring — seeing where your pages send data |
| Historical audit trail | Policy Watch for CSP integrity — detecting changes to your security policy itself |
Together, these form the client-side security visibility layer that sits between your CSP policy and your incident response process.