This article takes an honest look at the features of Imperva Client-side Protection.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product pages
What is Imperva Client-side Protection?
Imperva Client-Side Protection helps organizations monitor and control third-party JavaScript on their websites to prevent data leakage and supply chain attacks. It provides visibility into script behavior and supports automated Content Security Policy (CSP) generation to enforce security policies in the browser.
How Imperva Client-side Protection works
Imperva Client-Side Protection leans heavily on Content Security Policies (CSP) to enforce script-level security in the browser. CSPs define which domains are allowed to load scripts, creating a kind of perimeter around "trusted" sources.
However, CSPs only validate the origin of a script, not its content. The biggest client-side attack of 2024, the Polyfill attack, would not have been caught by a CSP. It also cannot stop malicious behavior embedded in allowed scripts, nor can it detect if content changes within the same URL.
CSPs also require ongoing maintenance. As websites integrate new third-party services, the CSP needs to be updated, or it risks breaking functionality.
In addition to CSPs, Imperva uses a browser-based “worker” to observe loaded scripts after the page has finished rendering. This worker acts similarly to a lightweight crawler, collecting information on first- and third-party scripts that run in real user sessions. It identifies new or changed scripts, logs their behavior, and uses a domain risk scoring system to flag potentially unsafe code.
However, because the worker runs after page load it doesn’t intercept scripts before they execute. It also doesn’t analyze the actual code payload in every unique user session. If a script delivers different content based on cookies, IP addresses, browser fingerprinting, or A/B test variants, the worker may never see the malicious version.
Finally, Imperva Client-side Protection requires you to be e an existing Imperva user to access Client-side Protection and pricing does not seem to be public.
c/side however, uses a proxy approach which sits in between every actual user session. It checks the actual payload of every page view, and analyzes the served dependencies code in real-time before serving it to the user.
This allows us to not only spot 0-day attacks and alert, c/side also makes it possible to block attacks before they touch the user’s browser. It also checks the box for multiple compliance frameworks, including PCI DSS 4.0.1
We believe this is the most secure way to monitor and protect your dependencies across your entire website.
Sign up or book a demo to get started.