This article takes an honest look at the features of Imperva Client-side Protection.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product pages
What is Imperva Client-side Protection?
Imperva Client-Side Protection helps organizations monitor and control third-party JavaScript on their websites to prevent data leakage and supply chain attacks. It provides visibility into script behavior and supports automated Content Security Policy (CSP) generation to enforce security policies in the browser.
How Imperva Client-side Protection works
Imperva Client-Side Protection leans heavily on Content Security Policies (CSP) to enforce script-level security in the browser. CSPs define which domains are allowed to load scripts, creating a kind of perimeter around "trusted" sources.
However, CSPs only validate the origin of a script, not its content. The biggest client-side attack of 2024, the Polyfill attack, would not have been caught by a CSP. It also cannot stop malicious behavior embedded in allowed scripts, nor can it detect if content changes within the same URL.
CSPs also require ongoing maintenance. As websites integrate new third-party services, the CSP needs to be updated, or it risks breaking functionality.
In addition to CSPs, Imperva uses a browser-based “worker” to observe loaded scripts after the page has finished rendering. This worker acts similarly to a lightweight crawler, collecting information on first- and third-party scripts that run in real user sessions. It identifies new or changed scripts, logs their behavior, and uses a domain risk scoring system to flag potentially unsafe code.
However, because the worker runs after page load it doesn’t intercept scripts before they execute. It also doesn’t analyze the actual code payload in every unique user session. If a script delivers different content based on cookies, IP addresses, browser fingerprinting, or A/B test variants, the worker may never see the malicious version.
Finally, Imperva Client-side Protection requires you to be e an existing Imperva user to access Client-side Protection and pricing does not seem to be public.
How c/side goes further
c/side primarily offers a hybrid proxy approach which sits in between the user session and the 3rd party service. It analyzes the served dependencies code in real-time before serving it to the user.
This allows us to not only spot advanced highly targeted attacks and alert on them, c/side also makes it possible to block attacks before they touch the user's browser. It also checks the box for multiple compliance frameworks, including PCI DSS 4.0.1. We even provide deep forensics, including if an attacker bypasses our detections. Allowing you to more tightly scope the size of the incident us to make our detection capabilities better every day. No other vendor has this capability.
We believe this is the most secure way to monitor and protect your dependencies across your entire website. We've spent years in the client-side security space before we started c/side, we've seen it all, this is the only way you can actually spot an attack.
We also offer a free CSP endpoint on top of our product to allow for layering, it's included. With c/side, you basically get the same thing as Report-URI on top for free.
Sign up or book a demo to get started.