This article takes an honest look at the features of Cloudflare Page Shield.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
Some of the folks on the c/side team have worked at Cloudflare and even contributed to the development of Page Shield. Even as a competitor in some areas, we hold Cloudflare in high regard.
If you want to verify their claims yourself, please navigate to their product pages.
| Criteria | c/side | Cloudflare Page Shield | Why It Matters | What the Consequences Are |
|---|---|---|---|---|
| Approaches used | Proxy | CSP + fetching script after | ||
| Real-time Protection | Attacks can occur between scans or in the excluded data when sampled | Delayed detection = active data breaches | ||
| Full Payload Analysis | Ensures deep visibility into malicious behaviors within script code itself | Threats go unnoticed unless the source is known on a threat feed | ||
| Dynamic Threat Detection | Identifies attacks that change based on user, time, or location | Missed detection of targeted attacks | ||
| DOM-Level Threat Detection | Tracks changes to the DOM and observes how scripts behave during runtime | Unable to identify sophisticated DOM-based attacks | ||
| 100% Historical Tracking & Forensics | Needed for incident response, auditing, and compliance | Needed for incident response, auditing, and compliance | ||
| Bypass Protection | Stops attackers from circumventing controls via DOM obfuscation or evasion | Stealthy threats continue undetected | ||
| Certainty the Script Seen by User is Monitored | Aligns analysis with what actually executes in the browser | Gaps between what's reviewed and what's actually executed | ||
| AI-driven Script Analysis | Detects novel or evolving threats through behavior modeling | Reliance on manual updates, threat feeds or rules = slow and error-prone detection | ||
| QSA validated PCI dash | The most reliable way to ensure a solution is PCI compliant is to conduct a thorough audit by an independent QSA | Without QSA validation, you rely entirely on marketing claims, which could result in failing an audit | ||
| SOC 2 Type II | Shows consistent operational security controls over time | Lacks verified security control validation, making it a risky vendor | ||
| PCI specific UI | An easy interface for quick script review and justification via one click or AI automation | Mundane tasks and manual research on what all the scripts do, which takes hours or days |
What is Cloudflare Page Shield?
Cloudflare Page Shield is a client-side security tool that monitors and analyzes third-party JavaScript running in users’ browsers. It helps detect malicious or unauthorized script changes by providing real-time alerts and visibility into the behavior of external dependencies.
How Cloudflare Page Shield works
Cloudflare Page Shield uses a crawler that fetches the script after the page has loaded. If a script changes or matches known malicious patterns, Page Shield will flag it and issue an alert. However, because the crawler fetches scripts independently, not in the context of a live user session. It cannot account for dynamically served payloads that vary based on cookies, user behavior, referrer headers, or other runtime conditions.
Attackers can also see the Cloudflare IP addresses and serve a non-malicious version of the script. This would not flag their detection mechanism.
Page Shield does not analyze every session. Instead, it samples traffic to optimize performance and reduce resource consumption. This approach makes sense from a cost perspective, but it also introduces severe blind spots in security monitoring.
To verify this, find a site that uses Page Shield, open your browser’s developer console, and refresh the page multiple times.
Page Shield leans heavily on Content Security Policies (CSP) to enforce script security. A CSP only trusts pre-approved script sources, not their content. Should the source stay the same but the content changes, like in the biggest client-side attack of 2024 – Polyfill – a CSP won’t catch it.
We wrote an in depth article on Why CSP Doesn’t Work in regards to providing the best client-side security solution:
CSP operates on an allow-list model, which permits resources from trusted domains but cannot block individual scripts or resources from those domains.
To our knowledge, Cloudflare Page Shield does store and analyze scripts. This means that once a script disappears from the monitoring window, there’s no way to retrieve it for future analysis and machine learning.
Finally, adopting Cloudflare Page Shield requires you to be an existing Cloudflare customer.
How c/side goes further
c/side primarily offers a hybrid proxy approach which sits in between the user session and the 3rd party service. It analyzes the served dependencies code in real-time before serving it to the user.
This allows us to not only spot advanced highly targeted attacks and alert on them, c/side also makes it possible to block attacks before they touch the user's browser. It also checks the box for multiple compliance frameworks, including PCI DSS 4.0.1. We even provide deep forensics, including if an attacker bypasses our detections. Allowing you to more tightly scope the size of the incident us to make our detection capabilities better every day. No other vendor has this capability.
We believe this is the most secure way to monitor and protect your dependencies across your entire website. We've spent years in the client-side security space before we started c/side, we've seen it all, this is the only way you can actually spot an attack.
We also offer a free CSP endpoint on top of our product to allow for layering, it's included. With c/side, you basically get the same thing as Report-URI on top for free.
Sign up or book a demo to get started.
FAQ
Q: How does c/side's hybrid proxy differ from Cloudflare Page Shield's CSP approach?
A: The fundamental difference is depth of protection. Cloudflare Page Shield uses Content Security Policy (CSP) to block scripts from "bad" domains, but it never analyzes the actual JavaScript code inside those scripts. c/side's hybrid proxy intercepts every script, analyzes the complete payload with AI-driven detection, and blocks malicious content before it reaches the browser. This means we can catch attacks hidden within legitimate CDNs that CSP would miss entirely.
Q: Can attackers bypass c/side's protection like they can with Cloudflare Page Shield?
A: No, because c/side's core analysis happens on our proxy, completely invisible to attackers. CSP-based solutions like Page Shield are easily bypassed by attackers who compromise legitimate CDNs or create new domains that aren't on the blocklist. Since c/side analyzes the actual script content rather than just the source domain, attackers can't bypass our protection by simply changing domains. Our AI-powered analysis catches malicious code regardless of where it's hosted, providing protection that domain-based blocking simply cannot match.
Q: What forensic evidence does c/side provide compared to Cloudflare Page Shield's reporting?
A: Cloudflare Page Shield provides CSP violation reports showing which domains were blocked, but c/side captures and archives the exact malicious code that was attempted. This gives you complete forensic evidence showing precisely what the attack looked like and what data it was trying to steal. Auditors get immutable proof of the attack code rather than just a report that a domain was blocked.
Q: How do compliance requirements compare between c/side and Cloudflare Page Shield?
A: c/side provides superior PCI DSS compliance because we maintain complete records of every script payload and security header change, covering both requirements 6.4.3 and 11.6.1. Page Shield only addresses domain-level blocking for 6.4.3 but lacks the comprehensive script content monitoring and historical tracking that 11.6.1 requires. Our forensic-grade documentation creates the audit trail that compliance officers need.
Q: Why is c/side's payload analysis better than Cloudflare Page Shield's domain blocking?
A: Payload analysis prevents attacks that domain blocking misses entirely. Attackers regularly compromise legitimate CDNs and inject malicious code into trusted domains that CSP solutions would allow through. c/side's deep code analysis catches these "supply chain" attacks by examining what scripts actually do, not just where they come from. This approach blocks threats that domain-based protection cannot even detect.