Compromising a third-party service your website relies on is one common way attackers get in. Typically, your server delivers a web page, and your browser loads dozens or even hundreds of external sources such as analytics scripts, marketing tools, and payment processors. Only one of these needs to be intercepted by an attacker to replace a legitimate script with malicious code.
Cross-Site Scripting (XSS) attacks are an example of a malicious client-side executions. Once in place, credit card information and session tokens can be captured or redirect users to fake websites. Users will not notice these, and they can go undetected by traditional security tools.
Firewalls, WAFs, and vulnerability scanners are traditional security tools to protect your servers, but they can't see what's happening in your users' browsers.
Server-side security protects your infrastructure, while client-side security focuses on where your application actually runs, inside your users' browsers.
Client-side security is a critical subset of AppSec that focuses on protecting applications where they actually execute--in users' browsers.
Protecting your website visitors from malicious JavaScript attacks that happen in their browsers is the goal of client-side security.