CSP is a great base-layer when it comes to client-side security. Depending on your needs, it can provide enough security, but it's not the highest level achievable. A CSP cannot see the contents of the script. Thus, should they turn malicious, you will be susceptible to an attack. If you run a limited level of considered safe scripts, and depending on your internal risk evaluation, a CSP is a great way to start. Especially with free offerings like ours.
Why doesn't a Content Security Policy (CSP) make us PCI compliant?
PCI DSS requires monitoring scripts for changes. CSP can only control sources, not inspect payloads, so it cannot meet PCI DSS requirements.
Why do you offer CSP for free?
We fundamentally believe every individual and operation should be able to secure themselves, regardless of resources.
Can cside work alongside my existing WAF without conflicts?
We monitor an entirely different dimension of the application stack; hence, there is no interference.
Does cside's JavaScript proxy add latency like a WAF does to all traffic?
cside only adds 8-20 milliseconds (the blink of an eye typically lasts between 100 and 400 milliseconds) of latency to the specific, highly dynamic JavaScript files we proxy.