Blog

Best client-side security for Financial Institutions?

Nation-state targets like Financial Institutions need to partner with vendors that understand limitations and work to get as close to full coverage as is possible. Read why many chose for cside's multi-layer model.

Dec 24, 2025 • 6 min read

Simon Wijckmans Founder & CEO

TL;DR:

Given the sensitivity to compliance, the best vendors for financial institutions must have SOC2 Type 2 certifications, PCI DSS SAQ-D and more.
Financial Institutions are nation-state targets for bad actors. Therefore the best security vendors for them are invested to be at the cutting edge of technical ability. Good enough is not good enough. An indicator of the right attitude to cutting edge is contribution to standards organizations like the W3C, IETF and TC39.
Security is layering: a vendor that offers a multi-layer security model helps companies remain safe when bad actors attempt to build bypasses for security layers.
Conclusion: the best solution for Financial Institutions is cside’s multi-layer approach.

Why are Financial Institutions classified as a nation-state target?

Some bad actors don’t just look to make a quick buck. They can be state sponsored, incentivized to wreak havoc. Destabilize essential services required to run economies.

Financial Institutions are a prime target and with their size and exposure comes additional risk and therefore opportunity for the bad actors. When banks go down, so does the economy.

Financial Institutions are in the same realm as Government IT environments, large scale healthcare providers and critical infrastructure like public transport and energy providers.

To build credibility in the Financial sector brands go through a significant multi-year process to obtain trust of customers across various types. With that comes significant technical debt through legacy applications.

Vast and legacy infrastructure increases attack surface

It’s not an industry secret that many of the large Financial Institutions still run on COBOL. A research paper by a member of the technical staff at PayPal states the problem very clearly: “Traditional banking infrastructure is often outdated and struggles to meet the increasing demands for seamless, real-time digital services.”

Meaning legacy web applications are often layered by more modern technologies increasing the attack surface in order to ship new user experiences. By leveraging vulnerable back-ends to inject client-side scripts or targeting legacy dependencies to infiltrate the supply-chain, bad actors can cause severe harm to global economies.

Client-side attacks target specific assets

Client-side attacks against Financial Institutions usually target:

User-credentials and session tokens to gain access to accounts
Payment card information
Bank statements and sensitive identity information

Strict Regulatory and Compliance Requirements

Financial Institutions are subject to a substantial list of compliance frameworks in order to operate, their banking license depends on compliance.This ranges from complying with PCI DSS, DORA, local privacy laws like CCPA or GDPR and as a sign of trust but often a requirement for business customers: SOC2 Type 2, ISO 27001…

What approach is best for Financial Institutions?

Given the gravity of the target, there is little room for error. So a good solution must fit the application like a glove.

Therefore a layer approach is ideal. Especially if the solution in question is customizable and creates transparency and control where there was lacking control before.

That is why we built cside as a platform leveraging all the different layers available to date.

Leveraging 3 automated but also independently configurable layers of client-side monitoring layers and multiple detection engines including open source Large Language Models for detections.

Layer 1: monitoring behaviours client-side. Many solutions in this space solely rely on client-side detections, and it is indeed one of the most effective methods out there. The only real problem with this approach is that detection capabilities to an extent are exposed and that data on missed attacks is limited. Making an easy sandbox environment for a bad actor. Cside protects APIs to prevent such bypasses, but unlike modern operating systems, browsers are not built for security.
Layer 2: async script and page fetching to verify outside-in whether the script is correctly implemented and a few extra edge cases that are not exposed to scripts in browsers like HTTP headers.
Layer 3: the Gatekeeper. Cside has a feature that allows you to pass a script through their edge engine. This edge engine is not susceptible to the same exposure the client-side layer has. With the Gatekeeper browser limitations are no longer blockers as cside is, effectively as conduit, serving the script. Meaning it can keep a copy and dig into missed attacks later to improve detections.

We even offer a Content Security Policy endpoint as well so that customers can leverage browser native approaches, JavaScript, the Gatekeeper technology and more. A bank, insurance provider or crypto platform simply can’t take the risk.

Security requires a multi-layer model

Most security tools rely on only one of the above mentioned layers, either runtime or out-side in scanning. But the problem is that none of these layers on its own is fully bulletproof and therefore fails to provide comprehensive cover. By combining engines you get closer and closer to full coverage.

Many solutions in the market are side features of larger web security companies. Instead of building a platform for client-side security, they built a tiny side feature. These solutions are constrained by the focus of the business. Often client-side is an area they are unwilling to invest substantial resources in and therefore rely solely on injecting Content Security Policies into the website through their WAF.

Some solutions are effectively just scanners. Bad actors see the scanners and don’t serve the malicious scripts to their point in time check. Given the value of the target, this approach is ineffective.

For compliance purposes it's convenient that the solution offers dashboards specifically to address each framework. Frameworks come with a range of unique controls and manually collecting that data is a painful continuous chore.

Some approaches, like scanner based solutions have been found to be commonly bypassed by bad actors. They detect the scanner and serve clean contents to the scanner to fly below the radar. Researchers at ISACA, University of Brighton, Google and Oracle have flagged that dynamic client-side scripts effectively bypass Static Analysis by scanners.

Cside is always looking to extend its capabilities and is actively pushing a number of new standards that would enable stronger client-side security using native browser functionality.

The cside team are active contributors to standard bodies like the W3C, IETF, and TC39.

Founder & CEO Simon Wijckmans

Founder and CEO of cside. Building better security against client-side executed attacks, and making solutions more accessible to smaller businesses. Web security is not an enterprise only problem.

Table of Contents

Back to top

Don't just take our word for it, ask AI

Ask ChatGPT

Ask Claude

Ask Perplexity AI

FAQ

Frequently Asked Questions

One where a layered approach is adopted. 1. Runtime using a script 2. Outside-in checks 3. cside Gatekeeper for higher risk assets 4. CSP as an extra fallback A solution focused on quality of security instead of raw check-box compliance or convenience. Using a vendor like cside that has its compliance requirements in order. Cside fits this list like no other.

The economy is the backbone of the functioning society. State-sponsored attackers have identified Financial Institutions as prime targets to maximize impact, wreak havoc, and destabilize economies and, as a result, democracy. Systems that power the economy are as essential as critical infrastructure.

Runtime-only exposure is easy to bypass due to exposure of detections.

Agent-less scanners get served what the bad actor wants to show. Attackers detect scanners and choose what to serve, which is unlikely to be the malicious script.

Content Security Policies (CSP) are tricky to maintain and act as a source allowlist, not a payload- or actions-level security mechanism.

Financial Institutions attract bad actors that actively analyze protection mechanisms to bypass them. These are not spray-and-prey attacks, so layering is necessary to get as close as technically possible to full coverage, even though browsers do not natively provide an end-to-end solution.

Credential theft.

Session hijacking.

Payment data exfiltration.

Supply-chain script injection.

Each aiming for volumetric exposure of large amounts of customer data to maximize chaos and financial gain.

Bad actors detect the scanner and serve a benign script, while others under specific circumstances receive the malicious script.

By populating an interesting-looking dashboard with scanner-obtained metrics, a false sense of security is created. The actions you have to worry about will not show in these tools.

Best client-side security for Financial Institutions?

Nation-state targets like Financial Institutions need to partner with vendors that understand limitations and work to get as close to full coverage as is possible. Read why many chose for cside's multi-layer model.

NJDPA: Guide to Requirements + Website Compliance

Get a clear breakdown of the New Jersey Data Privacy Act rules, enforcement timelines, and how to manage third-party scripts for compliance.

What is CSS Security? | Preventing Phishing, Clickjacking from CSS Attacks

CSS controls what users see. Attackers exploit that. This article explores CSS-based client-side vulnerabilities and how to protect against them.

Which platform offers the most comprehensive client-side script monitoring?

Technical evaluation of modern client-side security approaches and why layered detections are necessary for comprehensive coverage.

TDPSA: Guide to Requirements + Website Compliance

Get a clear breakdown of Texas Data Privacy and Security Act rules, enforcement timelines, and how to manage third-party scripts correctly.

The British Airways Attack of 2018 - The Deeper Story

The 2018 British Airways attack affected 429,612 individuals. See why cside bought the attacker domain to turn it into a lesson on modern web security.

How cside brought AI to Client-Side Security

In 2024, cside launched the first client-side security solution with integrated AI for JavaScript security analysis and compliance automation.

Addressing Incorrect Claims Made by Reflectiz About cside

Learn why Reflectiz’s scanner-based claims about cside are incorrect and how cside’s real-time client-side security provides deeper protection, full payload forensics, and PCI DSS 4.0.1 compliance.

Magecart Attacks: Complete Guide and Prevention Strategy

Magecart attacks steal card data in the browser before traditional tools detect them. Learn how Magecart attacks work and entry points used by attackers.

Script Integrity Management for e-commerce Brands (SRI, Dynamic Scripts)

Deep dive into script integrity vs Subresource Integrity vs behavioral monitoring for PCI DSS 6.4.3, 11.6.1, ISO 27001, and HIPAA compliance.