This article takes an honest look at the features of Imperva Client-side Protection.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product page.
| c/side | Imperva Client-side Protection | |
|---|---|---|
| Doesn't solely rely on CSP policies | ✔️ | ✔️ |
| Doesn't cause console errors | ✔️ | |
| Client side JS script detection | ✔️ | |
| Uses threat feed intel | ✔️ | ✔️ |
| Monitors Who-is records | ✔️ | ✔️ |
| Monitors SSL | ✔️ | ✔️ |
| Able to detect inline scripts | ✔️ | |
| Uses AI and ML to analyse scripts | ✔️ | |
| Creates allow lists for scripts | ✔️ | |
| Block scripts before entering the user's browser | ✔️ | |
| Proxies scripts | ✔️ | |
| Stores script content for future review | ✔️ | |
| Tracks historical changes in scripts | ✔️ | |
| Performance enhances scripts | ✔️ | |
| Paid tier starts at | $99 per month | Unknown |
What Imperva Client-side Protection does well
Imperva Client-side Protection integrates well in the Imperva ecosystem. If you’re an existing customer, this add-on will be an easy integration.
They have a clear PCI dashboard that seems to work well to comply with requirements 6.4.3 and 11.6.1, which focus on client-side security. They also show a good amount of information regarding the origin and use of the scripts.
With a simple click, scripts can be blocked.
What Imperva Client-side Protection could do better
They solely rely on threat feeds and Content Security Policy (CSP), in combination with a “worker”.
They do “out of the box” blocking, similar to c/side, where likely threat feed information is stored to find known threats. This is a great add-on, but far from bulletproof. Here’s an example of threat feeds leaving an attack of +2 years old undetected.
A second layer is using Content Security Policy, which has become a standard approach to client-side security. Again, a good feature but far from bulletproof. CSPs use a “zero trust” approach which focusses on the domain the script is served through.
Allowing 3rd party resources in CSP policies inherently trusts those external domains to remain secure. But, compromised or malicious scripts from trusted 3rd parties can still execute, bypassing CSP protections entirely.
They refer to a “worker” that checks the delivered JavaScript package. This is more than likely a crawler that crawls the page after it has loaded and delivered to the user. The problem with a crawler is that attacks can see the request from Imperva, in this case. Since JavaScript is dynamic by design, it’s rather easy to serve a different version of the script every time. Talented attackers can simply spot the request from Imperva’s IPs, and serve normal safe JavaScript.
You need to be an existing Imperva user to access Client-side Protection and pricing does not seem to be public.
Finally, in December of 2023, Imperva was acquired by Thales, a public French multinational company that designs, develops, and manufactures electrical systems as well as devices and equipment for the aerospace, defense, transportation, and security sectors. Some management and operations changes could’ve been made in that time.
Our conclusion
While Imperva Client-side Protection is a tool that offers more than most competitors, it’s not as robust as the proxy approach we use. With a proxy, we can spot and analyze the script in real-time, and block the malicious ones before it reaches the browser of the user. Ensuring the best possible way to spot and block client-side attacks.
It should be noted that Imperva Client-side Protection does cover everything that’s needed for PCI DSS 6.4.3 and 11.6.1 requirements. It’s up to you to decide if the level of protection lives up to your expectations.
We’ve laid out our thoughts on Imperva Client-side Protection and how we compare. We’d love to chat if you have any questions or concerns.