Compare
At c/side, we're creating the ultimate delivery, performance and detection mechanism for browser-side fetched 3rd party Javascript. Many established security vendors offer services in this space. Here's how c/side compares to them.
c/side offers a tiny script to add to a webpage. The script does 2 things:
Optimization: Rewrite sources of scripts to proxy them through the c/side proxy and perform some browser-side detections. Making c/side sit in the flow of the request between the user and the 3rd party script without added latency, in some cases our optimizations can even improve performance through caching static scripts.
Full Monitoring: Allowing full insight into the scripts served, 100% of the session. Many other vendors sample browser sessions meaning attacks built to only apply to a small % of users could fly below the radar for a long time.
c/side uses a combination of various review methods (more on them below) crafted by security experts in the client-side JS field and leveraging the most modern AI models.
Our team is built up of true user experience geeks. We set out to build the most intuitive and nice-to-use security tooling. Our dashboard looks and feels 2024, and in most cases, you wouldn't even need to go to a dashboard as our notifications share what a script is doing and why we've decided to block it in simple human-readable language.
Let's dive into the different approaches that make up security tooling. None of them are bad per se, but it's fair to say each has shortcomings.
c/side uses a mix of these to provide the best possible security, as we'll explain below.
Content Security Policies are a browser-side feature scoped by the W3 foundation.
Content security policies were designed to define which script sources and external connections are allowed to be loaded by a user's browser. A wide range of directives exist with varying levels of support across browsers. A web developer can manually define a list of sources allowed to be fetched for 3rd party scripts. Ideally defining them as specifically as possible using the full URL of a given script and then also using an md5 hash to verify the payload (aka the code) of the script. Some vendors provide tools to help developers define and keep these lists up to date. And some other tools use CSP under the hood.
CSP has a few really significant limitations marking its adoption. One of which is its strict max header length. This means that on many sites 3rd party script URLs are too long and as a result, the full domain gets allowlisted. Many major brands have wildcarded 3rd party sources that allow anyone on the web to submit code (think codesandbox.io) meaning such rules allow bad actors anyway.
In some cases, the security vendor will attempt to fetch the script for their own infrastructure separately from the browser using the source URL they received through a CSP report-only header. This makes it easy for a bad actor to circumvent the detection as when they see an IP range of a security or cloud vendor they simply won't respond or deliver a clean version of the script.
Similarly, dynamic script URLs may be built to only allow a single fetch which means the security vendor in question will never see the script that was served to a user.
A CSP violation, even a report-only violation will create an alarming-looking console error in the browser development tools:
Once scripts are detected some tools attempt to review them and flag potentially malicious scripts.
In many security product spaces, threat feeds are still the standard today. Threat research companies crawl the web for known malicious patterns and add new domains that show malicious behaviors seen before. Some teams review social media sites (like Reddit or X) and monitor keywords people use in their tweets such as 'XSS', 'Magecart', 'Code Injection'... They then manually check if something is up. If it is, they often manually put it into a feed that is then consumed by cybersecurity firms and IT teams. This is a decent way of catching low-hanging fruit at a relatively low cost to the business.
Attackers however often monitor social media posts that flag their domain or the domains they managed to infiltrate making it very obvious when they are detected.
This manual human review-based approach is not perfect to say the least. Bad actors can quickly move their attack to a different domain without having to rewrite their malicious code. Especially in 2024 better ways to autonomously detect malicious patterns can be built, and that's what c/side built.
Most competitors provide 3rd party javascript detection as an add-on product to their broader security stack. This means you need to be a customer in order to use their client-side protection services. If you already are a customer, a lot of tools start at $1,500 per month, quickly ramping up depending on site bandwidth and amount of domains.
Some vendors lock even their most basic tier behind a 'contact sales' wall. At c/side we understand how busy teams are and that such an approach is not very pleasant. For some, they are even deal breakers. The c/side free tier is a great starting point for people to test the waters of what c/side could offer. Detecting known bad scripts and covering the requirement of PCI DSS regarding script monitoring out of the box.
The c/side business package offers similar functionality to the enterprise packages of competitors and is able to detect advanced attacks.
The c/side enterprise plan is the best in class, yet still more cost-effective than most solutions in the market. Detecting sophisticated attacks using more expensive but effective detection mechanisms in combination with a range of enterprise-specific features such as incident management platform integrations, SSO, advanced support, and more.
We've also made it easy for partners like development agencies, security consultants or managed service providers. You can manage all your clients in one dashboard, no need to create separate accounts or onboard them. The exact fees depend on your usage.
We even offer a SOC service as an optional add-on so you'll always have a human ready on stand-by, reducing noise to 0.
Find how c/side compares to the other tools in the market and decide for yourself what your preferred solution is.
Let's wrap up how we're able to differentiate from our competitors at this time
Tech: In the worst case, established vendors will only list the scripts on your site so you can monitor them. Some allow you to block or allow them with little to no further explanation. Most even use outdated forms of community monitoring (remember threat feeds?) to 'secure' you. In the best case, they offer a form of real-time blocking. We do all of that and more, as we also offer a proxy to completely shield your scripts from malicious attempts without performance loss.
Pricing: The big companies charge about $1,500 per month + you often need to be part of some larger existing package, jacking up the price even more. Others don't mention pricing transparently. Our free tier offers most (if not all) of their features, and our packages start at $99 per month.