This article takes an honest look at the features of Cloudflare Page Shield vs c/side.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify these claims yourself, please navigate to their product page.
Unlike c/side, Cloudflare Page Shield does not act as part of the delivery flow of third-party scripts. They have a crawler that aims to capture the delivered script after the fact. This doesn't guarantee the same payload of the script, as these are dynamic. They likely sometimes fetch a different script, causing mistakes.
Full transparency
Some of the folks on the c/side team have worked at Cloudflare and even contributed to the development of Page Shield. Even as a competitor in some areas, we hold Cloudflare in high regard.
c/side | Cloudflare Page Shield | |
---|---|---|
Doesn't solely rely on CSP policies | ✔️ | |
Doesn't cause console errors | ✔️ | |
Client side JS script detection | ✔️ | |
Uses threat feed intel | ✔️ | ✔️ |
Monitors Who-is records | ✔️ | ✔️ |
Monitors SSL | ✔️ | |
Able to detect inline scripts | ✔️ | |
Uses AI and ML to analyse scripts | ✔️ | ✔️ |
Creates allow lists for scripts | ✔️ | ✔️ |
Block scripts before entering the user's browser | ✔️ | |
Proxies scripts | ✔️ | |
Stores script content for future review | ✔️ | |
Tracks historical changes in scripts | ✔️ | |
Performance enhances scripts | ✔️ | |
Paid tier starts at | $99 per month | $1,500 per month |
What we heard from customers
During a demo call with an enterprise customer, they pointed out specific shortcomings of Cloudflare Page Shield:
- No post-load script analysis:Page Shield does not analyze scripts after they have been loaded into the browser. This means that if a malicious script is injected dynamically after the initial page load—such as through a compromised third-party service—it goes undetected.
- Challenges with detecting disguised scripts:Page Shield’s machine learning (ML) model primarily detects known attack patterns but struggles with obfuscation and novel threats. If a script is disguised as a legitimate resource but behaves maliciously in execution, Page Shield may fail to identify it.
What Cloudflare Page Shield does well
Cloudflare Page Shield integrates within the whole Cloudflare ecosystem. If you are already using other Cloudflare features, it’s a nice bonus to get started quickly. It’s available on all plans too since recently.
While they don’t publicly display pricing, their features depending on your plan are displayed publicly, allowing you to find the right package you need. They do have a public changelog where you can see recent updates to the platform.
Similar to most competitors, Page Shield does cover PCI DSS compliance requirements 6.4.3 and 11.6.1.
What Cloudflare Page Shield could do better
Beyond customer feedback, we’ve evaluated Page Shield ourselves and found several limitations.
Cloudflare Page Shield uses a crawler that fetches the script after the page has loaded. It does not ensure they see the script that was served to the visitor. A crafty attacker can simply see the Cloudflare IP addresses and serve a non-malicious version of the script. This would not flag their detection mechanism.
Most of the features you expect a modern SaaS solution to have are locked in a high-tier plan and only as an add-on. Without public pricing this may make it harder to evaluate it against competitor products.
Let’s dive deeper into other facts that make up Page Shields.
1. Sampling of user sessions
Page Shield does not analyze every session. Instead, it samples traffic to optimize performance and reduce resource consumption. This approach makes sense from a cost perspective, but it also introduces severe blind spots in security monitoring.
To put it in perspective: If you only record security footage for a fraction of the year, you’re increasing the risk of missing critical events. The same applies here—an attacker only needs one successful injection to compromise a user.
You can verify this yourself.
Find a site that uses Page Shield, open your browser’s developer console, and refresh the page multiple times. You’ll see script firing inconsistently, indicating when Page Shield is active and when it isn't.
2. Heavy reliance on CSP policies
Page Shield leans heavily on Content Security Policies (CSP) to enforce script security. While CSP is a useful layer of defense, it has fundamental limitations:
- CSP is based on source trust, not payload validation:A CSP allows developers to define a list of trusted domains from which scripts can be loaded. However, it does not inspect or validate the content of those scripts. If a trusted source is compromised, CSP alone cannot prevent malicious execution.
- CSP rules require constant maintenance:Many enterprises struggle to maintain strict CSP rules because modern websites rely on dynamic third-party scripts (e.g., analytics, payment gateways). Page Shield inherits this issue—it requires businesses to manually configure allowlists, which can lead to misconfigurations or excessive script blocking.
3. Limited threat intelligence for small businesses
Cloudflare Page Shield primarily detects threats by consuming threat feed intelligence, much of which comes from Cloudflare Radar—a free resource. However, many of its detection and alerting capabilities are locked behind enterprise pricing tiers.
This creates an issue for smaller businesses:
- You’re either paying $1,500/month (based on latest pricing) for intelligence that relies on the same open-source feeds available for free.
- Or you’re left with limited protection, as many detection mechanisms are only available at the highest pricing tiers.
4. No persistent script storage
At c/side, we store every version of scripts seen in the wild to provide historical visibility and improve detection models. This allows security teams to:
- Track changes in scripts over time.
- Identify previously undetected threats.
- Conduct retroactive investigations after a breach.
Cloudflare Page Shield does not offer this feature. This means that once a script disappears from the monitoring window, there’s no way to retrieve it for future analysis.
5. Post-load script analysis weaknesses
Page Shield attempts to fetch and analyze scripts after the event using Cloudflare’s ML models. However, this approach has a serious flaw:
- Attackers can detect Cloudflare’s IP addresses and serve a clean version of the script when requested.
- Meanwhile, actual users receive a malicious version of the script.
This technique, known as server-side cloaking, is a well-documented evasion strategy in cybersecurity. Since Page Shield operates at the edge rather than inside the browser, it cannot detect what the end-user actually receives.
6. No proxy for third-party scripts
One of the best ways to secure third-party scripts is proxying—where scripts are retrieved, analyzed, and hosted in a controlled environment before being served to users.At c/side, we offer this functionality to ensure complete visibility into what users actually receive.
Page Shield does not proxy third-party scripts. Instead, it relies on CSP-based blocking, which, as mentioned earlier, does not inspect payloads—only their origin.
Our conclusion
Page Shield is a well-intended product but has fundamental design choices that limit its effectiveness in protecting against modern client-side attacks. Its reliance on sampling and CSP policies introduces gaps that can be exploited by sophisticated attackers.
c/side was built with a different approach, introducing the proxy to the client-side security space. This allows us to see the payload of the script and block any malicious activity before it loads in the browser of users.
We have offered a free tier from the start, and recently Page Shield also created a free tier option. Please try out both and see the differences first-hand.
We’ve laid out our thoughts on Cloudflare Page Shield and how we compare. If you’re looking for an alternative that provides deeper visibility and control, sign up now or get in touch.