This article takes an honest look at the features of Cloudflare Page Shield.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
Some of the folks on the c/side team have worked at Cloudflare and even contributed to the development of Page Shield. Even as a competitor in some areas, we hold Cloudflare in high regard.
If you want to verify their claims yourself, please navigate to their product pages.
What is Cloudflare Page Shield?
Cloudflare Page Shield is a client-side security tool that monitors and analyzes third-party JavaScript running in users’ browsers. It helps detect malicious or unauthorized script changes by providing real-time alerts and visibility into the behavior of external dependencies.
How Cloudflare Page Shield works
Cloudflare Page Shield uses a crawler that fetches the script after the page has loaded. If a script changes or matches known malicious patterns, Page Shield will flag it and issue an alert. However, because the crawler fetches scripts independently, not in the context of a live user session. It cannot account for dynamically served payloads that vary based on cookies, user behavior, referrer headers, or other runtime conditions.
Attackers can also see the Cloudflare IP addresses and serve a non-malicious version of the script. This would not flag their detection mechanism.
Page Shield does not analyze every session. Instead, it samples traffic to optimize performance and reduce resource consumption. This approach makes sense from a cost perspective, but it also introduces severe blind spots in security monitoring.
To verify this, find a site that uses Page Shield, open your browser’s developer console, and refresh the page multiple times.
Page Shield leans heavily on Content Security Policies (CSP) to enforce script security. A CSP only trusts pre-approved script sources, not their content. Should the source stay the same but the content changes, like in the biggest client-side attack of 2024 – Polyfill – a CSP won’t catch it.
We wrote an in depth article on Why CSP Doesn’t Work in regards to providing the best client-side security solution:
CSP operates on an allow-list model, which permits resources from trusted domains but cannot block individual scripts or resources from those domains.
To our knowledge, Cloudflare Page Shield does store and analyze scripts. This means that once a script disappears from the monitoring window, there’s no way to retrieve it for future analysis and machine learning.
Finally, adopting Cloudflare Page Shield requires you to be an existing Cloudflare customer.
c/side, uses a proxy approach which sits in between every actual user session. It checks the actual payload of every page view, and analyzes the served dependencies code in real-time before serving it to the user.
This allows us to not only spot 0-day attacks and alert, c/side also makes it possible to block attacks before they touch the user’s browser. It also checks the box for multiple compliance frameworks, including PCI DSS 4.0.1
We believe this is the most secure way to monitor and protect your dependencies across your entire website.
Sign up or book a demo to get started.