Skip to main content
Blog
Blog

Browser-Layer Script Activity Logging and Incident Response: Complete Guide for 2026

SIEM and EDR tools log the endpoint. WAFs log the network. Neither logs what third-party scripts do inside your users' browsers. This guide covers what browser-layer script activity logging captures and how incident response works when a script on your site is compromised.

Jul 13, 2026 9 min read
Browser-Layer Script Activity Logging and Incident Response: Complete Guide for 2026

Browser-layer script activity logging is the real-time recording of what JavaScript executes inside a user's browser: every DOM read, form field access, network request, cookie write, and dynamic script injection made by first- and third-party code during a live session. It is the logging layer that SIEM, EDR, and WAF tools cannot reach, and where Magecart skimming, supply-chain compromises, and session-hijacking scripts execute.

Most security teams have strong logging at the server, network, and endpoint layers. The browser runtime, where third-party scripts run with the same privileges as first-party code, is almost always unmonitored. This guide covers what a browser script activity log captures, why the gap matters, and what effective incident response looks like when a script on your site is compromised.

The logging gap most stacks leave open

A typical enterprise security stack logs the following layers:

LayerWhat it logsTypical tools
NetworkHTTP/S traffic, DNS, firewall eventsWAF, NGFW, NDR
EndpointOS calls, process execution, file writesEDR, XDR
ServerApplication logs, auth events, API callsSIEM (via agents/connectors)
Browser runtimeJavaScript execution, DOM reads, script behaviorMissing in most stacks

The browser runtime is where client-side attacks operate. A Magecart script reads the value of a payment card field and sends it to a remote server. That read happens entirely inside the browser. The network layer sees an HTTPS POST after the data has already left. The EDR sees no anomalous process. The SIEM has no entry. The attack completes with a clean log record everywhere, which is why teams that want to detect Magecart in real time instrument the browser itself.

Network-versus-browser-session diagram showing one incoming request, a single IP and set of headers issuing GET /pricing, read at two layers: the network layer with WAF, CDN and header and IP inspection sees a residential proxy IP, a Chrome 124 TLS fingerprint, a valid session cookie and a Chrome 124 user-agent and finds no anomaly on a clean load, while cside's browser-session layer reads the in-session behaviour, a pointer that never moves, 0.2 second dwell per page, strictly sequential navigation and no scrolling, and classifies the session as automated and rate-limits it, because the network layer cannot see inside the browser session

For one GET /pricing from a single IP, the two layers reach opposite verdicts:

Network/server layer seesBrowser-session layer sees
IP: residential proxyPointer: 0 px moved
TLS: Chrome 124 fingerprintDwell: 0.2s per page
Cookie: valid sessionNavigation: strictly sequential
User-Agent: Chrome 124Scroll: none
Verdict: no anomaly, clean loadVerdict: classified automated, session rate-limited

The headers look human, so WAF, CDN, and IP inspection wave the request through. The same session, read at the browser layer, never moves a pointer, dwells 0.2 seconds per page, and walks pages in strict order without scrolling — the network blind spot is exactly where cside catches it.

The Polyfill[.]io supply-chain compromise in June 2024 demonstrated this at scale. A widely used CDN-hosted script was modified to serve malicious payloads to over 490,000 websites. Each affected site's WAF, SIEM, and EDR had clean logs. The only tools that could detect the anomaly were those operating at the browser execution layer.

What a complete browser script activity log captures

A useful browser-layer activity log records six categories of script behavior:

1. DOM access and mutation

Which elements a script reads or writes, with specific attention to input fields, form elements, and password fields. A payment-page script that has never previously read the card number field but does so in a new deployment is a behavioral anomaly worth flagging immediately.

2. Network requests

Every fetch(), XMLHttpRequest, navigator.sendBeacon(), image pixel, and WebSocket connection initiated by a script, including the destination domain, request method, and whether the destination is new or previously seen. New outbound destinations are the primary indicator of data exfiltration.

3. Cookie and storage access

Which scripts read or write cookies, localStorage, and sessionStorage. Legitimate analytics scripts rarely need session tokens. If one starts reading them, the behavior should be flagged.

4. Dynamic script injection

Scripts that create new <script> elements or use eval(), Function(), or document.write() to execute new code at runtime. This is how second-stage malware loads in supply-chain attacks: the first script is clean and it fetches and executes the actual payload dynamically.

5. Subresource requests and fourth-party dependencies

Scripts that load additional external resources, creating a chain from your approved third-party to an unapproved fourth-party domain. The Polyfill[.]io attack used this pattern: the compromised CDN script loaded attacker-controlled code from a separate domain.

6. Behavioral baseline deviations

The most actionable signal is not a single event but a deviation from established behavior. A script that has run on your checkout page for six months and has never accessed form fields, then suddenly starts reading card input values in one session per thousand: that is the detection event.

Incident response for browser script attacks

Effective incident response for a browser-layer script compromise follows a distinct workflow from server-side incidents. The timeline is compressed because data can be exfiltrated in milliseconds and the attack surface is every user session running the compromised script.

Detect

Detection relies on behavioral anomaly alerting, not signature matching. Signature-based detection fails against polymorphic and obfuscated payloads described in detail here. The trigger for a browser-layer incident should be: a known script accessing data types it has never previously accessed, or a script making network requests to a destination outside its established behavior profile.

A real-time alert, not a next-day SIEM batch, is the minimum standard. By the time a daily log review catches a Magecart script, tens of thousands of sessions may have been exposed.

Contain

Containment at the browser layer happens differently from endpoint containment. Options include:

  • Block the specific network request: prevent the exfiltration call from completing by intercepting the outbound request the malicious script makes.
  • Block the script itself: prevent the compromised script from loading on subsequent page loads, immediately reducing the attack surface.
  • Alert without blocking: use for lower-confidence detections where false-positive risk is high. Logs the event and alerts the team without user-visible impact.

The ability to block without a code deployment, directly from a monitoring platform without touching the site's source, is critical for speed of containment. Code deployments take hours; browser-layer blocking can be near-instantaneous.

Investigate

The investigation step requires a log of what happened in affected sessions. Without a browser activity log, this step is nearly impossible. With one, the investigation can answer:

  • Which sessions ran the compromised script version?
  • During those sessions, which data fields did the script access?
  • Where were the network requests sent?
  • Did the exfiltration complete (did the destination respond) or was it interrupted?

This log is also the evidentiary record for breach notification decisions under GDPR Article 33 (72-hour notification threshold) and PCI DSS requirements. Without it, the default assumption under most frameworks is that all exposed sessions were compromised.

Remediate

Remediation for a browser script compromise includes: removing or rolling back the compromised script version, confirming the attacker's exfiltration endpoint is blocked at the network level, assessing which user sessions require notification, and updating the script's behavioral baseline so the next deviation is detected faster.

The post-incident review should assess whether the detection-to-containment window met an acceptable threshold. For payment-page scripts under PCI DSS requirements 6.4.3 and 11.6.1, the expectation is detection of unauthorized script modifications in real time, not hours or days later.

How to evaluate platforms for browser script activity logging

Not all monitoring tools that claim browser-layer visibility actually instrument the browser runtime. Questions to ask during a product evaluation:

Evaluation areaWhat to look forRed flag
Logging methodAgent or SDK that runs in the browser and observes executionCrawler that simulates sessions externally
CoverageAll sessions, not a sampled subsetSampling means most attacks go unlogged
Baseline learningAutomatic behavioral profiling per script per pageRequires manual threshold configuration
Blocking capabilityCan block script network requests without a code deploymentDetection-only with no enforcement path
Log retentionIndexed session-level logs available for investigationAggregate metrics only, no session replay
Compliance evidenceExportable logs mapped to PCI DSS 6.4.3/11.6.1 and GDPR Article 32No structured compliance output

The key distinction is instrumentation method. An external scanner visits your page from a headless browser and records what it observes during that artificial session. An attacker who only activates against real users, a common evasion technique, is invisible to a scanner. Runtime instrumentation that runs in every real user's session captures what scanners miss.

Where cside fits

cside is browser-native script activity logging and enforcement built specifically for third-party JavaScript risk. It instruments the browser execution layer in every real user session and logs the six categories described above: DOM access, network requests, cookie and storage reads, dynamic script injection, subresource chains, and behavioral deviations from established baselines.

When an anomaly is detected, cside can block the script's network requests or the script itself without requiring a code deployment. The activity log it produces is structured for both incident investigation and compliance evidence under PCI DSS 6.4.3, 11.6.1, and GDPR Article 32.

For teams currently relying on SIEM, EDR, and WAF coverage and assuming those three layers cover the full attack surface: they do not cover the browser runtime. That is the layer where Magecart, formjacking, and digital skimming, supply-chain compromises, and session-hijacking scripts operate, and it is the layer where script activity logging and incident response has the widest gap in most enterprise stacks.

Further reading

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

Browser-layer script activity logging is the real-time recording of what JavaScript executes inside a user's browser: every DOM read, form field access, network request, cookie write, and dynamic script injection made by first- and third-party code during a live session. It captures the execution layer that SIEM, EDR, and WAF tools cannot reach because those tools operate at the network or endpoint level, not inside the browser runtime.

SIEM platforms aggregate logs from servers and network devices. EDR tools instrument the operating system. WAFs inspect HTTP traffic in transit. None of these observe the JavaScript execution environment in the user's browser. A third-party script that reads form fields and sends data to an attacker's server over HTTPS looks like normal outbound traffic to a WAF, an authorized process to an EDR, and a missing entry in the SIEM. The logging gap exists at the browser runtime layer.

Effective incident response for a browser script compromise follows four steps: detect the behavioral anomaly in real time (a script reading payment fields it has never previously touched), contain it by blocking the script's network requests or the script itself, investigate using the activity log to determine which sessions were affected and what data was accessed, and remediate by removing or quarantining the compromised script and notifying affected users. Without a browser activity log, the investigation step collapses because there is no record of what happened.

cside provides browser-native script activity logging built specifically for third-party JavaScript risk. It records what each script does at runtime, identifies behavioral deviations from established baselines, and can block scripts when anomalous behavior is detected. Unlike SIEM connectors that pull server logs, cside instruments the browser execution layer directly, capturing signals like dynamic script injection, cookie exfiltration, and form field reads that only exist inside the browser runtime.

Without a browser-layer monitoring tool, you generally cannot know until a breach is reported externally. With browser-layer script activity logging, you can observe in real time which scripts access which form fields or cookies, which network destinations each script communicates with, and whether any script makes requests to destinations outside its established behavior profile. Unusual form field reads combined with new outbound network requests are the primary behavioral signature of a data exfiltration script.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo