What does ScriptPatrol monitor that my WAF and server can't see?

Firewalls and servers protect your infrastructure, but they cannot see the JavaScript that actually executes in your customers' browsers — which is exactly where Magecart and supply-chain skimmers operate. ScriptPatrol loads your checkout, login, and admin pages like a real visitor, catalogs every script with a SHA-256 hash, and alerts you when an unauthorized or unexpected script appears or changes.

How does ScriptPatrol detect Magecart and supply-chain attacks?

A purpose-built risk engine scores every script change from 0 to 100 and explains why each script is flagged, specific to your platform and page type. It catches injected skimmers, compromised third-party code, and silently modified scripts — and tells you exactly why, instead of a generic "suspicious activity" alert. Routine vendor updates are recognized and filtered out, so an alert means something worth your attention.

What is the Security Score?

Every monitored page gets an A+ to F Security Score built from your response headers, TLS configuration, and live script integrity against a known baseline. It lets you see and prove your client-side security posture at a glance and track it over time.

Do I need to install anything on my website?

No — nothing to install and no code to embed, ever. ScriptPatrol monitors your pages entirely externally, the same way a customer would access them, with zero impact on performance, and it works on sites behind Cloudflare and bot protection out of the box. If your firewall is strict and you want a clean, 100% complete scan with full security headers, you can optionally allowlist ScriptPatrol with a single "Skip" rule in your WAF (matching a secret header, or our fixed IPs) — still no code. It is fully optional: skip it and monitoring simply runs in standard mode.

Can I use ScriptPatrol reports for PCI DSS evidence?

Yes, where it applies. You can export PDF reports with a full script inventory and change history. For merchants who file PCI DSS SAQ A-EP or SAQ D, these map directly to the script-inventory (6.4.3) and change-detection (11.6.1) evidence those assessments ask for. Most small e-shops use a hosted or redirect payment page and file SAQ A, which since March 31, 2025 no longer requires 6.4.3 or 11.6.1 — but client-side monitoring still protects your customers and your brand.

What if my checkout or admin page requires login?

Many critical pages support guest access and are reachable without authentication. If a monitored page requires login, you can provide test credentials during setup and ScriptPatrol will handle authenticated sessions automatically for ongoing monitoring.

Which e-commerce platforms does it work with?

ScriptPatrol uses external browser-based scanning, so it works with any platform: WooCommerce, Magento, Shopify, BigCommerce, OpenCart, Shoptet, and custom stacks — including headless and decoupled architectures. No installation and no code changes.

What happens if an unauthorized change is detected?

When a change is detected, it is logged with a timestamp, scored by the risk engine, and surfaced in your dashboard and reports. You can configure email and Slack alerts so your team is notified as soon as a scan detects it, with an AI-written explanation of the change and remediation guidance.

Client-side security for e-commerce

A compromised script on your checkout can skim card data for months before you notice.

ScriptPatrol watches every script on your checkout, login and account pages and alerts you when one is changed or added — the first sign of a skimmer or a compromised third-party. The attack runs in your customer's browser, where your server and firewall never look.

Magecart & supply-chain detection A+ to F Security Score No code changes

Scan my store free See how it works

No credit card required · Set up in under 5 minutes · Works behind Cloudflare

Continuous monitoring in 3 steps

See and protect every script your customers actually run — no code changes required.

1

Add your critical pages

Point ScriptPatrol at your checkout, login or admin pages. Automatic path discovery does the rest in under a minute.

2

We watch every script

ScriptPatrol inventories and hashes every script, then grades each page on headers, TLS and live script integrity.

3

You hear about it first

Any unexpected or changed script triggers an email and Slack alert with a risk score and a clear next step.

Zero impact on your systems

Works behind Cloudflare

Exportable security reports

A single compromised third-party script can quietly skim card and login data from every visitor until it's found. Continuous client-side monitoring closes that gap.

How ScriptPatrol Helps

Visibility Into Every Script You Ship

Spot Magecart and unauthorized JavaScript on your most sensitive pages — with a clear Security Score and audit-ready reports, and no work added to your team.

Magecart & Supply-Chain Detection: A purpose-built risk engine scores every script change from 0 to 100 and explains why it is flagged — so injected skimmers, formjacking, and compromised third-party code stand out, while routine vendor updates are recognized and filtered automatically.
Live Script Inventory: Maintain a complete inventory of every script your pages load, each pinned to a SHA-256 hash and checked against a known baseline. Authorization status and change history are tracked automatically.
Daily Change Detection: ScriptPatrol re-checks your pages every day — scripts and security headers alike — so a change is caught within a day, not at your next manual audit. Every change is logged with a precise timestamp and a before-and-after comparison, then sent as an email and Slack alert with a plain-language AI explanation of what changed.
A+ to F Security Score: Grade every monitored page on its HTTP security headers, TLS, cookie flags, and live script integrity against a known baseline. See and prove your client-side posture at a glance, and track the trend over time.
Zero Installation Required: No code changes, no plugins, and no impact on site performance. ScriptPatrol monitors your pages externally, the same way your customers access them — including sites behind Cloudflare.
Security Dashboard & Reports: Track Security Score, top risks, and your full audit trail from one dashboard. Export PDF reports with script inventory and change history whenever you need them.

Need PCI DSS Evidence? It's Built In.

The same data that powers detection also produces the script-inventory and change-detection evidence PCI DSS asks for. This applies to merchants who file SAQ A-EP or SAQ D; merchants on SAQ A (hosted or redirect payment pages) have not needed requirements 6.4.3 or 11.6.1 since March 31, 2025 — but client-side monitoring still protects your customers either way.

6.4.3

Script Inventory

A documented inventory of every script on the page, which ScriptPatrol maintains automatically:

A record of each script and where it came from
Authorization status for each script
SHA-256 integrity verification

11.6.1

Change Detection

A mechanism that detects unauthorized changes to the page, which ScriptPatrol runs continuously:

Monitoring of security headers
Detection of changes to page scripts and content
Alerting on unauthorized modifications

ScriptPatrol provides the technical controls and exportable evidence for both requirements.

Built for:

Magecart detection

Supply-chain monitoring

Security Score

PCI DSS evidence (SAQ A-EP/D)

From the Engineering Team

Engineering Insights

Deep dives into the technical challenges of client-side security monitoring and how we solve them.

For Website Owners

May 26, 2026

7 min

A Website Owner's Guide to Script Security in 2026 (No Jargon)

You do not need to be a developer to protect your site. A plain-English guide for website and online-shop owners: what the JavaScript on your pages actually does, what can go wrong, how attackers steal cards and credentials through it, and the four simple questions you should be able to answer about your own site this week.

ScriptPatrol TeamRead more

Platform Capabilities

May 26, 2026

12 min

What ScriptPatrol Detects on Any Website: A 2026 Capabilities Guide

A clear, readable map of what ScriptPatrol monitors today on any kind of website — e-commerce, banking, SaaS, healthcare, government: multi-layer discovery of your critical pages, script intelligence across known vendors, the full set of HTTP security headers, smart change triage, and tamper-evident evidence.

ScriptPatrol TeamRead more

Product Launch

May 17, 2026

6 min

ScriptPatrol Is Now in Free Open Beta — Client-Side Security Monitoring at No Cost

Continuous monitoring of the JavaScript running on your checkout, login, and admin pages is free during our open beta. No credit card, no expiring trial. Here is why client-side monitoring matters, what good looks like, and how to switch it on for your store in minutes.

ScriptPatrol TeamRead more

View All Articles

Common Questions

Client-Side Security, Answered

Everything you need to know about how ScriptPatrol monitors the scripts your customers run.

See what your firewall can't

Start Monitoring Today

See every script your customers actually run within 24 hours, and get an alert when something changes. Continuous client-side monitoring with a clear Security Score.

Zero installation required

Works behind Cloudflare

Magecart & supply-chain detection

Continuous monitoring

Get Started Free Sign In

5 min

Setup

24 h

First report

Daily

Monitoring

Zero

Code changes

·Follow us