This article takes an honest look at the features of Cloudflare Page Shield vs c/side. Please note that, since you’re on the c/side website, we are obviously biased. Yet we try to present both tools in the same daylight. If you want to do more research, here’s Cloudflare’s Page Shield product page.
Let’s list out the differences first. Scroll further down to see the features described in more detail, and what we think of them.
Full transparency
Some of the folks on the c/side team have worked at Cloudflare and some of us even worked on Page Shield. We highly respect Cloudflare as a company and have close relationships with the staff to date. Any information shared in this blogpost is publicly available.
The differences between Page Shield and c/side
| c/side | Cloudflare Page Shield | |
|---|---|---|
| Doesn't use CSP policies | ✅ | |
| Doesn't cause errors in the browser terminal | ✅ | |
| Client side JS script detection | ✅ | |
| Uses threat feed intel | ✅ | ✅ |
| Monitors Who-is records | ✅ | ✅ |
| Monitors SSL | ✅ | |
| Able to detect inline scripts | ✅ | |
| Uses AI to analyse scripts | ✅ | ML classifier to detect obfuscation |
| Is able to block scripts without creating an allow list for all other scripts | ✅ | |
| Proxies scripts | ✅ | |
| Stores script content for future review | ✅ | |
| Has 100% certainty that the script reviewed is the one seen by the browser of the user | ✅ | |
| Paid tier starts at | $99 per month | $1,500 per month |
What we heard from customer feedback
During a demo call for an enterprise customer, they notified us of what they disliked about Cloudflare Page Shield:
- PageShield does not analyze scripts after they have been loaded. Consequently, if a malicious script is injected after the initial loading, there are no mechanisms in place to detect it retroactively.
- The machine learning engine employed by PageShield is unable to differentiate between legitimate and malicious scripts. For instance, if a user attempts to load a script that is disguised as a legitimate resource, PageShield cannot effectively manage this situation.
Let's continue with what we disliked in our own experiences:
What we don’t like about Page Shield
Page Shield only covers a sample of user sessions, referred to as sample view, to save on resources. That’d be like turning your security cameras off 328 days of the year to save on electricity. Risky business.
You can easily test this yourself. Find a site that runs Page Shield, open the console, and refresh your page a few times. You can see when the CSP headers get added as this will cause an error in your browser developer console.
Their malicious script detection and alerting, as well as code change detection and alerting detect known attacks and heavily rely on threat feed intel. They lock this information in the enterprise tier, with Page Shield as an add-on, which renders it out of range for most businesses due to price. Page Shield consumes threat feed intel from the same sources as Cloudflare Radar which is available for free.
Speaking of pricing, Cloudflare's pricing has become a tad obscure. Reports are that Page Shield starts at $1,500 per month, and as an add-on to other packages. Meaning you are already paying for other security features before you can activate Page Shield.
They also rely heavily on Content Security Policies, which has severe limitations. Content Security Policies allow developers to define a list of sources it can trust to fetch resources from or connect to. It is fundamentally unable to actively share or review the payloads of a script, meaning with CSP policies you are limited to trusting the source but not actively verifying what it delivers.
We also store every version of the script’s content for review and to update our detection mechanisms, which is something Page Shield does not do.
One fundamental flaw of Page Shield is that it seeks to fetch the script after the event to analyze using a home built ML engine. The bad actor does not see the IP of a normal residential user, instead it sees a Cloudflare IP which makes it likely that the bad actor will simply not respond with a script or respond with a clean script. The ML engine is also rather obscure and offers limited visibility in how it works and what it is able to detect. We suggest anyone to test the product before buying by looking for a semi malicious script or writing one yourself and placing it on a staging site to see if it is able to detect the script.
Lastly, they don’t offer a proxy, which is in our opinion the most secure way of handling 3rd party scripts. This is unfortunately not a unique shortcoming to Page Shield, as most other competitors don’t provide this either. The result is that they are not certain what script the user received.
Your choice!
So there you have it, our thoughts on Page Shield and how we differ. Have we made our case or are you still looking for some more information? Instead of Page Shield, you can just get started with our free tier in a few minutes to try it out.
Get started with c/side.
Or, you can go here to read more on how c/side works and find other comparisons.