Eliminate the blindspot
99% of websites today use JavaScript services. These are often added without proper vetting and authorization by security, resulting in a blind spot for the business.
Protect against data theft and malicious JavaScript. Designed to meet the needs of businesses aiming to comply with PCI DSS 4.0 standards while defending against client-side attacks and ensuring the security of sensitive customer data.
Real-time discovery and monitoring of all client-side resources and scripts behavior ensures complete visibility. Gain control over all first- and third-party JavaScript code embedded on your website.
Actionable insights make it easy to identify risky resources, headers, and scripts. Continuous monitoring alerts the security team to any new services. And if any JavaScript code is compromised, your security team is the first to know.
Comprehensive inventorying, authorization, dynamic integrity verification, and real-time monitoring streamline regulatory compliance with the new client-side security requirements introduced in PCI DSS 4.0.
Continuous discovery of existing and newly added services on your site, providing comprehensive visibility into client-side resources and JavaScript and real-time alerts for newly discovered services. It monitors script changes and identifies and flags any services doing data transfers. Flexible alerting options are available through emails, APIs, or SIEM.
Actionable insights enable security teams to assess each service swiftly. A domain risk score provides a credibility rating to simplify the assessment of each service, identifying compromised code and obfuscated scripts that may hide malicious activity. AI Explain leverages artificial intelligence to clarify each script’s actions, reducing the time and effort needed by security practitioners.
Easy enforcement options give security teams full control over the client-side. Security teams can block or authorize services using a negative or positive security model with one click. A zero-trust approach blocks new services or changes until they are reviewed and authorized. Instant Blocking handles known malicious services out-of-the-box, while Advanced Enforcement offers granular configurations.
The PCI Dashboard addresses PCI DSS 4.0 client-side security requirements by clearly explaining each requirement and identifying related action items. It validates content security policy headers, offers weekly summaries for payment page changes, and helps you stay audit-ready while monitoring compliance-affecting changes easily.
By leveraging the Imperva Cloud Application Security solution, Client-Side Protection deployment is safe and straightforward, with a fast detection process that starts within minutes. This extra layer of security provides numerous benefits to websites without causing additional latency or requiring any code changes. Most importantly, it will not disrupt the functioning of your website.
As web applications rely more on client-side logic and third-party code, client-side attacks are on the rise. These attacks can steal sensitive customer data, leading to breaches and noncompliance with data privacy regulations. PCI DSS 4.0 addresses this threat with new client-side security requirements. Imperva Client-Side Protection offers comprehensive visibility, actionable insights, and easy controls, enabling security teams to effortlessly manage client-side resources and JavaScript while streamlining compliance with PCI DSS 4.0 requirements 6.4.3 and 11.6.1.
99% of websites today use JavaScript services. These are often added without proper vetting and authorization by security, resulting in a blind spot for the business.
Digital skimming attacks like Magecart involve injecting malicious JavaScript into first-party code or the code of third-party services. These can result in long-term, devastating data breaches.
PCI DSS 4.0 introduced 2 new requirements for client-side security: 6.4.3 and 11.6.1. These necessitate securing payment pages from malicious scripts and unauthorized modification or tampering.
These attacks inject malicious JavaScript into first-party or third-party code used on legitimate websites. Just a single line of malicious code, like a JavaScript sniffer, is enough. Since this JavaScript runs on the client-side, it allows attackers to collect sensitive personal information directly from the browser whenever a customer enters their data into an online form.
Imperva Client-Side Protection utilizes HTTP Content Security Policy response headers, which are widely supported by modern browsers. In addition to HTTP Content Security Policy response headers, Client-Side Protection uses an additional mechanism to provide a powerful tool for managing your client-side applications and more granular control over your service dependencies. Instant Block uses JavaScript service worker technology, acting as a proxy between web browsers and web servers.
Yes, the Imperva Application Security platform and its infrastructure are PCI compliant. Client-Side Protection is specifically designed to help organizations meet requirements 6.4.3 and 11.6.1 in PCI DSS 4.0, the latest data security standard version. Complying with these requirements becomes mandatory in April 2025.
Client-Side Protection automatically blocks known malicious domains based on data from the Imperva Threat Research Team. This includes domains identified as high-risk for Magecart, Malware, or other malicious activities, ensuring immediate protection without additional configuration.
No. While WAF and RASP are key parts of your security strategy, they only impact requests made to your server. Malicious code is added directly to the browser, so it does not interact with it.
It is crucial to consider that missing any domain could pose a high risk to your website. To mitigate this risk, you should compile a detailed inventory of all the services utilized on your site. Subsequently, you must devise a comprehensive policy encompassing all these services and ensure continuous maintenance as the marketing and development teams update the website. This process may be challenging and time-consuming. Learn more.
Client-Side Protection won’t break your website, nor will it add any latency. Because it is part of the Imperva Application Security Platform, all it takes to get started is a single click to deploy Client-Side Protection. Furthermore, Client-Side protection will first operate in Discovery mode.
No. Blocking a Javascript domain using CSP will only block that specific domain from requesting your website. Your customers will still be able to use your website as usual.