This article takes an honest look at Cloudflare Page Shield — the product Cloudflare renamed to Client-Side Security in 2026.
Since you're on the cside website, we acknowledge our bias. That said, we've built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences. Where Cloudflare has genuinely improved the product, we say so.
Some of the folks on the cside team have worked at Cloudflare and even contributed to the development of Page Shield. Even as a competitor in some areas, we hold Cloudflare in high regard.
If you want to verify their claims yourself, please go to their product pages.
What changed: Page Shield is now "Client-Side Security"
In 2026 Cloudflare rebranded Page Shield to Client-Side Security, and the changes are more than cosmetic:
- The paid add-on (formerly the Page Shield add-on) is now Client-Side Security Advanced, and Cloudflare opened it to self-serve customers instead of Enterprise sales only.
- Domain-based threat intelligence is now free for all customers on the base Client-Side Security tier.
- Cloudflare added machine-learning malicious-script detection to the Advanced tier that analyzes the actual JavaScript code, not just the source domain.
- "Page Shield policies" are now called content security rules.
These are real improvements, and we've updated the comparison below to reflect them. The headline takeaway: Cloudflare now inspects script content, but it still inspects a fetched, sampled copy — not what actually executes in your users' browsers. That distinction is where cside continues to go further.
| Criteria | cside | Cloudflare Client-Side Security (Page Shield) | Why It Matters | What the Consequences Are |
|---|---|---|---|---|
| Approach used | Live in-session monitoring + server-side AI payload analysis | Sampled CSP reporting + static AI code analysis (Advanced tier) | ||
| Monitors 100% of sessions (no sampling) | Full support |
No support |
Attacks can fire between samples or only for a subset of visitors | Cloudflare samples only a small fraction of traffic (~1%); rare or targeted skimmers go unseen |
| Runtime & DOM-level behavioral detection | Full support |
No support |
Observes how scripts actually behave as they execute, including DOM changes | Static analysis of the fetched file misses DOM-based and execution-time attacks |
| Detects dynamic / targeted payloads (per user, time, location) | Full support |
No support |
Identifies attacks that only trigger for some users, times, or geographies | A skimmer serving to 1 in 1,000 visitors never appears in a fetched, sampled copy |
| Analyzes the exact script the user received | Full support |
No support |
Aligns analysis with what really executed, not a copy fetched separately | Cloudflare downloads from its own IPs with different headers — often not the user's payload, and often it can't fetch the script at all |
| AI / ML script analysis | Full support |
Full support (Advanced tier) |
Detects novel threats through code and behavior modeling, not just threat feeds | Cloudflare's classifier is Advanced-tier only and skips scripts over 300 KB |
| Full payload analysis regardless of script size | Full support |
Partial support |
Large bundled scripts are common, and they are where payloads hide | Cloudflare's classifier only runs on scripts up to 300 KB |
| Complete historical tracking & forensics | Full support |
Partial support |
Needed for incident response, auditing, and compliance | Cloudflare deletes resource data after 30 days without a new report |
| Archives the actual payload as evidence | Full support |
No support |
Auditors and responders need the real attack code, not just a score or a log | Without the archived payload you can't prove what an attack actually did |
| Works on any stack (no CDN / WAF lock-in) | Full support |
No support |
Client-side risk exists no matter which CDN or firewall you run | Cloudflare Client-Side Security requires routing your domain through Cloudflare |
| QSA-validated PCI DSS dashboard | Full support (VikingCloud) |
Partial support |
Independent QSA validation is the most reliable proof a solution meets PCI DSS | Cloudflare has a QSA applicability guide but a generic monitoring UI, not a PCI-mapped dashboard |
| In-product PCI script justification workflow (6.4.3) | Full support |
No support |
6.4.3 requires written business and technical justification for every script | Cloudflare exports a CSV; teams document and justify each script manually |
| Usable script inventory & management UI | Full support |
No support |
Reviewing, approving, and justifying every script needs a real workspace, not a data export | Page Shield surfaces a list; teams end up tracking scripts and approvals by hand in spreadsheets |
| Covers PCI DSS 6.4.3 and 11.6.1 | Full support |
Full support (Advanced tier) |
Both address the requirements; the depth of evidence and workflow differs | Cloudflare's coverage needs the paid Advanced add-on — the free tier is not enough |
| Free CSP reporting endpoint | Full support (every plan, including free) |
Partial support |
CSP violation reporting is the baseline for client-side visibility | Cloudflare's content security rules are capped at 5 and gated to Advanced |
| SOC 2 Type II | Full support |
Full support |
Shows consistent operational security controls over time | A baseline both vendors meet |
| Ticketing Integrations (Linear, Jira) | Full support (both Linear and Jira) |
No support |
Native integrations let security alerts flow into existing developer workflows | Without native ticketing, teams create tickets manually, slowing response times |
What is Cloudflare Client-Side Security (formerly Page Shield)?
Cloudflare Client-Side Security solely competes with cside's client-side security solution and PCI Shield. Other cside services like VPN detection, AI agent detection, and Privacy Watch are not in its scope.
Client-Side Security is Cloudflare's tool for monitoring the third-party JavaScript, connections, and cookies running in your visitors' browsers. It builds an inventory of scripts, alerts you when they change or look malicious, and lets you enforce an allowlist through content security rules (CSP). On the Advanced tier it adds machine-learning analysis of script code and code-change detection.
Is it a good idea to buy a client-side security solution from a firewall vendor?
Large security vendors sometimes have a stab at shipping a quick side product. They do this because they know their buyers are already bought into the platform — the easy choice is to add the vendor's own module. However, many teams notice that these side products didn't get the attention they needed, and often don't fully address the requirement. The browser is a fundamentally different attack surface from a network packet at a firewall, and it deserves a tool built for it.
Cloudflare did add real capabilities since 2024 — ML code analysis and more monitoring. But the product still behaves like a feature bolted onto a firewall rather than a tool built for the browser: you have to route your domain through Cloudflare to use it, the deepest detection sits behind the paid Advanced add-on, and — as we'll show below — the day-to-day workflow pushes the actual security and compliance work back onto you.
How Cloudflare Client-Side Security works
Cloudflare's detection hinges on a report-only Content Security Policy header that it adds to only a small sample of responses — in practice on the order of 1% of traffic. Nothing happens until one of those sampled reports comes back. Only then does Cloudflare download the script out-of-band and, on the Advanced tier, push it through its machine-learning and LLM scoring pipeline.
That download step is where the model breaks down. Cloudflare fetches the script from its own IP ranges, with different request headers than a real visitor's browser — so the copy it scores is frequently not the payload a real user received:
- It usually isn't the user's payload. A script that varies by cookie, session, referrer, geography, or time of day serves Cloudflare's fetcher something different from what a targeted victim gets. An attacker only has to return a clean version to Cloudflare's well-known infrastructure to keep skimming real sessions undetected.
- Often it can't fetch the script at all. Many scripts are served from single-use or session-bound URLs, or sit behind headers Cloudflare's fetcher doesn't replicate. When the fetch fails, there is simply nothing for the LLM pipeline to analyze.
- Sampling leaves wide blind spots. Because only a small fraction of responses carry the report-only header, low-traffic pages and rare, targeted payloads can take a long time to surface — or never surface at all. To see it for yourself, find a site that uses it, open your browser's developer console, and refresh the page several times.
- History is short-lived. Cloudflare's own documentation says it deletes information about a previously reported resource after 30 days without a new report, and its classifier only runs on scripts up to 300 KB.
Underneath, enforcement still leans on CSP, which trusts the origin, not the content of each resource. As we explain in Why CSP Doesn't Work:
CSP operates on an allow-list model, which permits resources from trusted domains but cannot block individual scripts or resources from those domains.
That gap is exactly how the biggest client-side attack of 2024 — Polyfill — worked: the domain was trusted, the payload was malicious.
Finally, adopting Cloudflare Client-Side Security requires you to be an existing Cloudflare customer.
What it's like to actually run it
Coverage on a feature page is one thing; operating the product is another. Page Shield shows you a list of scripts, but gives you no real workspace to manage them. To produce the inventory and written justifications PCI DSS 6.4.3 requires, you export a CSV and track approvals, owners, and justifications by hand — Cloudflare's own QSA evaluation tells customers to export the scripts report and document the business and technical justification themselves. For a control you're meant to evidence continuously, that becomes a spreadsheet you maintain forever.
Put the detection gaps and the workflow together and the picture is honest but unflattering: a ~1% traffic sample, an out-of-band fetch that often isn't the user's payload or can't be retrieved at all, a 30-day memory, and a list you reconcile in a spreadsheet. It can look like coverage on a checklist while rarely catching the actual attack — or producing the evidence — when it counts.
How cside goes further
Both cside and Cloudflare now analyze script code. The difference is what we analyze and how completely.
cside mirrors every live user session and observes how scripts actually behave as they run in the browser — the DOM changes they make, the network calls they fire, and the payloads they serve to real visitors. Cloudflare scores a copy it fetched separately, from its own datacenter IPs, on a sampled basis. So when a trusted CDN starts serving a skimmer to 1 in 1,000 users after 5 p.m., cside sees it in the sessions where it actually fires; a fetched, sampled copy often doesn't contain it at all.
Because cside's analysis happens server-side, it's invisible to attackers — they can't fingerprint our infrastructure and serve it a clean script the way they can with a predictable crawler.
We also keep a complete history of every script version served to your users and archive the actual payload. When an auditor or incident responder asks what happened, you have the real attack code and a full timeline — not a score, and not a report that aged out after 30 days.
On compliance, both products now address PCI DSS 6.4.3 (authorize, inventory, and justify every payment-page script) and 11.6.1 (detect and alert on unauthorized changes to scripts and security-impacting headers). Cloudflare gives you monitoring and a CSV export, and leaves the written justifications and audit evidence to you — and only on the paid Advanced tier. cside ships a PCI-specific dashboard, independently validated by QSA firm VikingCloud, with one-click and AI-assisted script justification, so the audit trail is generated for you.
cside also includes a free CSP reporting endpoint on every plan, including the free tier. You get everything Page Shield offers for CSP monitoring, plus live in-session and payload-level protection on top — and you don't have to move your domain to a specific CDN to get it.
Sign up or book a demo to get started.
Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.
