This article takes an honest look at the features of Cloudflare Page Shield.
Since you're on the cside website, we acknowledge our bias. That said, we've built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
Some of the folks on the cside team have worked at Cloudflare and even contributed to the development of Page Shield. Even as a competitor in some areas, we hold Cloudflare in high regard.
If you want to verify their claims yourself, please go to their product pages.
| Criteria | cside | Cloudflare Page Shield | Why It Matters | What the Consequences Are |
|---|---|---|---|---|
| Approaches used | Script-based monitoring + server-side analysis | CSP + fetching script after | ||
| Real-time Protection | Full support |
No support |
Attacks can occur between scans or in the excluded data when sampled | Delayed detection = active data breaches |
| Full Payload Analysis | Full support |
No support |
Ensures deep visibility into malicious behaviors within script code itself | Threats go unnoticed unless the source is known on a threat feed |
| Dynamic Threat Detection | Full support |
No support |
Identifies attacks that change based on user, time, or location | Missed detection of targeted attacks |
| DOM-Level Threat Detection | Full support |
No support |
Tracks changes to the DOM and observes how scripts behave during runtime | Unable to identify sophisticated DOM-based attacks |
| 100% Historical Tracking & Forensics | Full support |
No support |
Needed for incident response, auditing, and compliance | Needed for incident response, auditing, and compliance |
| Bypass Protection | Full support |
No support |
Stops attackers from circumventing controls via DOM obfuscation or evasion | Stealthy threats continue undetected |
| Certainty the Script Seen by User is Monitored | Full support |
No support |
Aligns analysis with what actually executes in the browser | Gaps between what's reviewed and what's actually executed |
| AI-driven Script Analysis | Full support |
No support |
Detects novel or evolving threats through behavior modeling | Reliance on manual updates, threat feeds or rules = slow and error-prone detection |
| QSA validated PCI dash | Full support |
Partial support |
The most reliable way to ensure a solution is PCI compliant is to conduct a thorough audit by an independent QSA | Without QSA validation, you rely entirely on marketing claims, which could result in failing an audit |
| SOC 2 Type II | Full support |
Full support |
Shows consistent operational security controls over time | Lacks verified security control validation, making it a risky vendor |
| PCI specific UI | Full support |
No support |
An easy interface for quick script review and justification via one click or AI automation | Mundane tasks and manual research on what all the scripts do, which takes hours or days |
| Ticketing Integrations (Linear, Jira) | Full support (Both Linear and Jira) |
No support |
Native integrations with developer ticketing tools allow security alerts to flow directly into existing workflows | Without native ticketing integrations, teams must manually create tickets for security findings, slowing response times |
What is Cloudflare Page Shield?
Cloudflare Page Shield solely competes with cside's Client-side security solution and PCI Shield. Other services like VPN detection, AI agent detection and Privacy Watch are not in their scope.
Cloudflare Page Shield is a client-side security tool that monitors and analyzes third-party JavaScript running in users' browsers. It helps detect malicious or unauthorized script changes by providing real-time alerts and visibility into the behavior of external dependencies.
Is it a good idea to buy a client-side security solution from a firewall vendor?
Large security vendors sometimes have a stab at shipping a quick side product. They do this as they know that their buyers are bought into their platform. The easy choice is to simply buy their solution. However, many users notice quickly that these products did not get the attention they needed and often simply do not work or address the requirements. Browsers as an attack surface are totally different from looking at a network packet as firewall.
How Cloudflare Page Shield works
Cloudflare Page Shield uses a crawler that fetches the script after the page has loaded. If a script changes or matches known malicious patterns, Page Shield will flag it and issue an alert. However, because the crawler fetches scripts independently, not in the context of a live user session. It cannot account for dynamically served payloads that vary based on cookies, user behavior, referrer headers, or other runtime conditions.
Attackers can also see the Cloudflare IP addresses and serve a non-malicious version of the script. This would not flag their detection mechanism.
Page Shield does not analyze every session. Instead, it samples traffic to optimize performance and reduce resource consumption. This approach makes sense from a cost perspective, but it also introduces severe blind spots in security monitoring.
To verify this, find a site that uses Page Shield, open your browser's developer console, and refresh the page multiple times.
Page Shield leans heavily on Content Security Policies (CSP) to enforce script security. A CSP only trusts pre-approved script sources, not their content. Should the source stay the same but the content changes, like in the biggest client-side attack of 2024 – Polyfill – a CSP won't catch it.
We wrote an in depth article on Why CSP Doesn't Work in regards to providing the best client-side security solution:
CSP operates on an allow-list model, which permits resources from trusted domains but cannot block individual scripts or resources from those domains.
To our knowledge, Cloudflare Page Shield does store and analyze scripts. This means that once a script disappears from the monitoring window, there's no way to retrieve it for future analysis and machine learning.
Finally, adopting Cloudflare Page Shield requires you to be an existing Cloudflare customer.
How cside goes further
Page Shield stops at the domain level. If a script comes from an allowed domain, it gets through. cside looks inside the script itself.
Some of the folks on the cside team have worked at Cloudflare and contributed to Page Shield's development. We know its strengths and where it stops. CSP-based blocking trusts the origin, not the content. That becomes a problem when attackers compromise legitimate CDNs, which happens more often than most teams realize. The Polyfill.io supply chain attack is a good example: the domain was trusted, the payload was malicious, and CSP-only tools let it through.
cside analyzes the actual JavaScript payload on our infrastructure. If a trusted CDN starts serving a skimmer, we catch it before it reaches the browser. Cloudflare can't do this because Page Shield never inspects what scripts actually execute.
We also keep immutable forensic archives of every script version served to your users. When an auditor asks what happened during an incident, you have the actual attack code, not a CSP violation log saying a domain was blocked.
cside includes a free CSP reporting endpoint as part of the product. You get everything Page Shield offers for CSP monitoring, plus payload-level protection on top.
Sign up or book a demo to get started.
