This article takes an honest look at the features of DomDog.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product page.
DomDog is a tool specifically designed to solve PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1. Keep in mind that on January 30th 2025 the companies needing to comply with both requirements received an update.
SAQ A companies do now no longer need to comply, providing:
their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Find the full PCI DSS update stating this.
| c/side | DomDog | |
|---|---|---|
| Doesn't solely rely on CSP policies | ✔️ | ✔️ |
| Doesn't cause console errors | ✔️ | ✔️ |
| Client side JS script detection | ✔️ | |
| Uses threat feed intel | ✔️ | ✔️ |
| Monitors Who-is records | ✔️ | |
| Monitors SSL | ✔️ | |
| Able to detect inline scripts | ✔️ | |
| Uses AI and ML to analyse scripts | ✔️ | |
| Creates allow lists for scripts | ✔️ | ✔️ |
| Block scripts before entering the user's browser | ✔️ | |
| Proxies scripts | ✔️ | |
| Stores script content for future review | ✔️ | |
| Tracks historical changes in scripts | ✔️ | |
| Performance enhances scripts | ✔️ | |
| Paid tier starts at | $99 per month | $99 per year |
What DomDog does well
DomDog’s founders have a long history and track record in client-side security. All information regarding their product, and their pricing, is fully visible and very easy to find. This is rare with products in our space. Pricing starts at $999 per year, similar to c/side.
DomDog is tailor made for PCI DSS requirements 6.4.3 and 11.6.1 focusing on client-side security. Their set up process is incredibly easy, and similar to us. Both require just a single script to be added to the header tag of your website though the functionality of both scripts is different.
Their reviews state that users find it an easy and lightweight tool that satisfies the PCI DSS requirements.
What DomDog does not do so well
It seems like they are collecting data, showing the scripts in a dashboard and asking the user to review it. While okay for PCI, it’s not the best approach from a security standpoint.
Say a stored XSS script turns malicious, they won’t be able to detect it since they don’t sit in the flow of the delivery. This approach is often called a JavaScript “Agent”. JavaScript Agents operate within the JavaScript layer and can not monitor code outside of it. It scans for which data various scripts are collecting and allows the user to black- or whitelist certain scripts on certain websites or pages.
They do use a secondary approach, being a Content Security Policy (CSP). A CSP acts like a firewall which only trusts pre-approved script sources, not their content. Should the source stay the same but the content changes, like in the biggest client-side attack of 2024 – Polyfill – a CSP won’t catch it.
We wrote an in depth article on Why CSP Doesn’t Work in regards to providing the best client-side security solution:
CSP operates on an allow-list model, which permits resources from trusted domains but cannot block individual scripts or resources from those domains.
We could not find a SOC2 or PCI DSS certification.
Our conclusion
DomDog is a product tailor made to comply with PCI DSS 6.4.3 and 11.6.1. They have some measures which we see regularly in other competitors, but don’t offer the highest level of security.
We’ve laid out our thoughts on DomDog’ and how we compare. We’d love to chat if you have any questions.