Skip to content
Open BetaFree during open beta — no credit card required
Client-side security monitoring

A compromised script on your checkout or login page can skim card and login data for months before you notice.

ScriptPatrol watches every script on your checkout, login and account pages and alerts you when one is changed or added — the first sign of a skimmer or a compromised third-party. The attack runs in your visitor's browser, where your server and firewall never look.

For any website that loads third-party scripts — checkouts, logins, SaaS, content and marketing sites alike.

Magecart & supply-chain detection A+ to F Security Score No code changes

Free during beta · No credit card · First scan in about a minute

scriptpatrol.com
Live scan

Free site security scan

See every third-party script that can read your page — plus your headers and TLS, graded. About a minute, no account.

Your report includes
  • Every third-party script on the page, identified
  • The risks that matter, worst first — and the fix
  • An A+ to F Security Score, with the reasons
Read-only scan — we never add code to your site.

Free · no account · no card. We'll email your report and security tips — unsubscribe anytime.

Continuous monitoring in 3 steps

See every script your customers run, and get told when one changes — no code on your site.

1

Add your critical pages

Point ScriptPatrol at your checkout, login or admin pages. Automatic path discovery does the rest in under a minute.

2

We watch every script

ScriptPatrol inventories and hashes every script, then grades each page on headers, TLS and live script integrity.

3

You hear about it first

Any unexpected or changed script triggers an email and Slack alert with a risk score and a clear next step.

Zero impact on your systems
Works behind Cloudflare
Exportable security reports

A single compromised third-party script can skim card and login data from every visitor until someone notices. Monitoring is how you notice on day one, not day ninety.

How ScriptPatrol Helps

Every script your pages load, in plain sight

Spot Magecart and unauthorized JavaScript on your most sensitive pages — with a clear Security Score and audit-ready reports, and no work added to your team.

Magecart & Supply-Chain Detection
Our risk engine scores every script change from 0 to 100 and tells you why it flagged it. Injected skimmers and compromised third-party code surface; the routine vendor update is recognized and filtered out, so a real alert never gets lost in the noise.
Every Script Identified
ScriptPatrol names the vendor behind every third-party script it recognizes, flags look-alike code that impersonates a provider you trust (a fake Stripe, a spoofed analytics host), and risk-scores inline scripts. A disguised or unrecognized script stands out immediately — on a checkout, a login, or any page that matters.
See Where Your Pages Send Data
As ScriptPatrol scans a page, it maps every destination that page sends data to, separating your own domain from third-party endpoints and naming the vendors it knows. A host you never authorized — quietly receiving what your visitors type — is how a skimmer siphons passwords, card numbers and personal data.
Redirect & Embedded-Frame Coverage
When a checkout or login hands off through a redirect, ScriptPatrol follows the hop-by-hop path and records it as evidence — so you can see exactly where a payment page sends your customer. It also inventories the scripts inside same-origin embedded frames, the widgets a single page-level check would miss.
Continuous Runtime Detection
Point your Content-Security-Policy report-uri at ScriptPatrol and your visitors’ own browsers report blocked or unexpected scripts as they happen — catching runtime violations in between scheduled scans. Every report is matched to your baseline, risk-scored, timestamped, and surfaced in your dashboard.
Live Script Inventory
Maintain a complete inventory of every script your pages load, each pinned to a SHA-256 hash and checked against a known baseline. Authorization status and change history are tracked automatically.
Daily Change Detection
ScriptPatrol re-checks your pages every day — scripts and security headers alike — so a change is caught within a day, not at your next manual audit. Every change is logged with a precise timestamp and a before-and-after comparison, then sent as an email and Slack alert with a plain-language AI explanation of what changed.
A+ to F Security Score
Grade every monitored page on its HTTP security headers, TLS, cookie flags, and live script integrity against a known baseline. See and prove your client-side posture at a glance, and track the trend over time.
Zero Installation Required
No code changes, no plugins, and no impact on site performance. ScriptPatrol monitors your pages externally, the same way your customers access them — including sites behind Cloudflare.
Security Dashboard & Reports
Track Security Score, top risks, and your full audit trail from one dashboard. Export PDF reports with script inventory and change history whenever you need them.

Built for security and compliance teams

When you have to prove what was running — and watch the environments the public never sees — ScriptPatrol gives you evidence you can verify yourself and access your network team controls.

Evidence you can verify yourself

Every exported report carries a SHA-256 Merkle root that proves its contents are intact — recomputable by anyone. When a trusted timestamp is available, the report is also sealed with an RFC 3161 token from a public authority that proves when it was recorded. Both are verifiable with standard, open tools — not just our word for it.

merkle_root
a3f1b9c4e7…d28f0a51
SHA-256 Merkle root · independently verifiable
+ RFC 3161 trusted timestamp when available

Monitor staging and restricted environments

Point ScriptPatrol at a staging, integration, or access-restricted environment and let us in the way your security team prefers — a stable egress IP to allowlist, a per-site secret header, or a mutual-TLS client certificate. Nothing is installed on the environment itself.

IP allowlistSecret headerMutual TLS

Need PCI DSS Evidence? It's Built In.

The same data that powers detection also produces the script-inventory and change-detection evidence PCI DSS asks for. This applies to merchants who file SAQ A-EP or SAQ D; merchants on SAQ A (hosted or redirect payment pages) have not needed requirements 6.4.3 or 11.6.1 since March 31, 2025 — but client-side monitoring still protects your customers either way.

6.4.3

Script Inventory

A documented inventory of every script on the page, which ScriptPatrol maintains automatically:

  • A record of each script and where it came from
  • Authorization status for each script
  • SHA-256 integrity verification
11.6.1

Change Detection

A mechanism that detects unauthorized changes to the page, which ScriptPatrol runs continuously:

  • Monitoring of security headers
  • Detection of changes to page scripts and content
  • Alerting on unauthorized modifications

ScriptPatrol provides the technical controls and exportable evidence for both requirements.

Built for:
Magecart detection
Supply-chain monitoring
Data-flow mapping
Runtime CSP detection
Security Score
Verifiable evidence
Restricted environments
PCI DSS evidence (SAQ A-EP/D)

Engineering

Notes from the build

How the detection works, how we scan behind firewalls, and what we're shipping next.

Coverage & Strategy
11 min

Which Websites Need Client-Side Script Monitoring — A Guide by Site Type

Industry is the wrong question. What makes a page worth monitoring is a mechanism: it runs scripts in the browser where someone logs in, pays, or enters personal data. A practical guide to the site types that need it — checkout, SaaS logins, banking, booking, healthcare, membership, custom/headless, and sites behind Cloudflare — and what an external monitor can actually watch on each.

ScriptPatrol TeamRead more
For Website Owners
6 min

How to Check Your Website for Unauthorized or Malicious Scripts (Free)

A practical guide for any website owner: how to see every third-party script running on your pages, how to spot one that has been tampered with or does not belong, the limits of checking by hand, and how to get the full picture in about a minute — free, no code.

ScriptPatrol TeamRead more
For Website Owners
7 min

A Website Owner's Guide to Script Security in 2026 (No Jargon)

You do not need to be a developer to protect your site. A plain-English guide for website and online-shop owners: what the JavaScript on your pages actually does, what can go wrong, how attackers steal cards and credentials through it, and the four simple questions you should be able to answer about your own site this week.

ScriptPatrol TeamRead more

Common Questions

Client-Side Security, Answered

How the monitoring works, what it catches, and what it costs.

See what your firewall can't

Be first to know when a script changes

We inventory every script your customers run within 24 hours, then alert you as soon as a scan detects one changed or added — the first sign of a skimmer.

Zero installation required
Works behind Cloudflare
Magecart & supply-chain detection
Continuous monitoring
5 min
Setup
24 h
First report
Daily
Monitoring
Zero
Code changes

© 2026 ScriptPatrol

·Follow us