Linkedin Tag

Back to blog

Cloudflare Page Shield vs c/side

Sunday, April 28th, 2024

Updated June 27th, 2024
Carlo D'Agnolo's profile picture

Carlo D'Agnolo

This article takes an honest look at the features of Cloudflare Page Shield vs c/side. Please note that, since you’re on the c/side website, we are obviously biased. Yet we try to present both tools in the same daylight. If you want to do more research, here’s Cloudflare’s Page Shield product page.

Let’s list out the differences first. Scroll further down to see the features described in more detail, and what we think of them.

Full transparency

Some of the folks on the c/side team have worked at Cloudflare and some of us even worked on Page Shield. We highly respect Cloudflare as a company and have close relationships with the staff to date. Any information shared in this blogpost is publicly available.

The differences between Page Shield and c/side

c/side Cloudflare Page Shield
Doesn't use CSP policies
Doesn't cause errors in the browser terminal
Client side JS script detection
Uses threat feed intel
Monitors Who-is records
Monitors SSL
Able to detect inline scripts
Uses AI to analyse scripts ML classifier to detect obfuscation
Is able to block scripts without creating an allow list for all other scripts
Proxies scripts
Stores script content for future review
Has 100% certainty that the script reviewed is the one seen by the browser of the user
Paid tier starts at $99 per month $1,500 per month

What we don’t like about Page Shield

Page Shield only covers a sample of user sessions, referred to as sample view, to save on resources. That’d be like turning your security cameras off 328 days of the year to save on electricity. Risky business.

You can easily test this yourself. Find a site that runs Page Shield, open the console, and refresh your page a few times. You can see when the CSP headers get added as this will cause an error in your browser developer console.

Their malicious script detection and alerting, as well as code change detection and alerting detect known attacks and heavily rely on threat feed intel. Only they lock them in the enterprise tier with Page Shield as an add-on, which renders them mostly out of range for most businesses due to pricing. Page Shield consumes threat feed intel from the same sources as Cloudflare Radar which is available for free.

Speaking of pricing, Cloudflare's pricing has become a tad obscure. Reports are that Page Shield starts at $1,500 per month, and as an add-on to other packages. Meaning you are already paying for other security features before you can activate Page Shield.

They also rely heavily on Content Security Policies, which has severe limitations. Content Security Policies allow developers to define a list of sources it can trust to fetch resources from or connect to. It is fundamentally unable to actively share or review the payloads of a script, meaning with CSP policies you are limited to trusting the source but not actively verifying what it delivers.

We also store every version of the script’s content for review and to update our detection mechanisms, which is something Page Shield does not do.

One fundamental flaw of Page Shield is that it seeks to fetch the script after the event to analyze using a home built ML engine. The bad actor does not see the IP of a normal residential user, instead it sees a Cloudflare IP which makes it likely that the bad actor will simply not respond with a script or respond with a clean script. The ML engine is also rather obscure and offers limited visibility in how it works and what it is able to detect. We suggest anyone to test the product before buying by looking for a semi malicious script or writing one yourself and placing it on a staging site to see if it is able to detect the script.

Lastly, they don’t offer a proxy, which is in our opinion the most secure way of handling 3rd party scripts. This is unfortunately not a unique shortcoming to Page Shield, as most other competitors don’t provide this either. The result is that they are not certain what script the user received.

Your choice!

So there you have it, our thoughts on Page Shield and how we differ. Have we made our case or are you still looking for some more information? Instead of Page Shield, you can just get started with our free tier in a few minutes to try it out.

Get started with c/side.

Or, you can go here to read more on how c/side works and find other comparisons.