Every website loads code into its visitors' browsers that the owner never sees. Most of it is harmless — analytics, a chat widget, a payment library. But if one of those scripts is tampered with, it can quietly read what your visitors type — card numbers, passwords, personal details — and send it somewhere else, while the page keeps working perfectly. Here is how to check what is actually running on your site, by hand and the fast way.
The one thing to know
A page that looks completely normal can still be skimming data. The only way to be sure is to look at the scripts that actually run in a real browser — not the ones your raw HTML claims to load.
1. Why you can't see the risk from the page itself
The scripts on your site run in the visitor's browser, not on your server. Your firewall, your hosting provider and a service like Cloudflare all sit in front of your server — they never watch the JavaScript that executes on the customer's screen. And a third-party script gets the same access to the page as your own code does, including the checkout form and the password field. So a compromised script is invisible from two of the places you would naturally look: the page (it still works) and your server logs (the theft happens in the browser).
2. Checking by hand — and where it stops short
You can see some of this yourself, for free, right now:
- Open your page and press F12 to open the browser developer tools.
- Go to the Network tab, reload the page, and filter to JS to list every script file and the host it loads from.
- Or open the Sources tab to browse the same scripts grouped by domain.
That gives you a rough roster of who is on the page. It is a good first step — but it is where most owners get stuck, because a list of hosts cannot answer the questions that matter:
Which of these is legitimate?
A raw hostname does not tell you whether cdn-analytics.io is a real vendor, a tracker you forgot about, or a look-alike domain set up to mimic one you trust. Telling them apart by eye, on every script, is exactly the part that is hard.
Did anything change?
The dangerous moment is when a script you already trusted is silently modified. Without a recorded baseline to compare against, a one-time look has nothing to measure today against.
What did you miss?
Skimmers are often injected at runtime by another script, so they may not appear in a quick glance. And you would need to repeat the whole exercise on every critical page — checkout, cart, login, account — every day, to keep it true.
3. The fast, complete way: a free scan
A free security scan does what a careful engineer would do, in about a minute. It loads your page in a real browser, captures every script that runs — including ones injected at runtime — names the vendor behind each one it recognizes, and flags anything unrecognized, any host that looks like a known vendor but isn't, and any host that appears on a public malware or phishing blocklist. It also reads your security headers and TLS, and folds all of it into a single A+ to F Security Score with a plain breakdown of why.
See every script on your page, identified — in about a minute.
Run a free scan on your siteNo account · no credit card · no code on your site.
4. What to look for in the results
Whether you read the list yourself or let a scan grade it, these are the signals worth a second look — especially on a checkout or login page:
- A third-party host you don't recognize and can't account for.
- A look-alike domain — a host whose name resembles a known vendor but isn't theirs. A classic skimmer disguise.
- A script loading from a host that appears on a known malware or phishing blocklist.
- External scripts with no Subresource Integrity (SRI) and weak or missing security headers.
- Anything that wasn't there the last time you checked.
None of these is automatically an attack. Each one is simply worth confirming that you put it there.
5. One page today, every page every day
A scan — by hand or automated — is a snapshot of the one page you check. Two things a snapshot can't do on its own: cover every critical page (most sites have several — checkout, cart, login, account, admin), and catch the moment a trusted script changes. That is the gap continuous monitoring closes: it discovers your critical pages for you, re-scans each one every day, keeps a baseline of exactly which scripts belong, and alerts you when one is changed or added — the first sign of a skimmer.
The free scan is the perfect first look. Monitoring is how it stays true after today.
Frequently asked questions
How do I check what scripts are running on my website?
You can see some of it yourself: open your page, open the browser developer tools (F12), go to the Network tab, reload, and filter to JS to list the script files and the hosts they load from. That tells you roughly who is on the page. It does not tell you whether any of those scripts has been tampered with, whether one impersonates a vendor you trust, or whether anything was injected at runtime by another script. A free external scan does all of that in about a minute and grades the result A+ to F.
Can I scan my website for malicious scripts for free?
Yes. A free security scan loads your page like a real visitor, captures every script that runs, identifies the vendor behind each one it recognizes, flags anything unrecognized or look-alike, and checks your security headers and TLS — returning a single A+ to F Security Score. No account, no credit card, and no code added to your site.
Does Cloudflare or my hosting provider protect me from a compromised script?
They protect different things. Cloudflare, your host and your platform block bad traffic, keep your server patched and filter obvious attacks. None of them watch the JavaScript that actually executes inside the browser of every visitor, which is exactly where a skimmer operates. That is a separate layer and a separate check.
I found a script I do not recognize — what should I do?
First confirm whether you added it: a tag manager, a plugin, or a vendor you signed up for can all load scripts you did not place by hand. If you cannot account for it, remove it, rotate your admin credentials, and review recent plugin and account activity. Then turn on continuous monitoring so the next unexpected script is caught for you automatically rather than on your next manual check.
Do I need to install anything to check my site?
No. An external scan runs entirely from outside your site, the way any visitor loads it. There is nothing to install and no code to add. You enter your address and get the result.
See what's running on your site
Get your Security Score and every third-party script on your page in about a minute — then keep every critical page monitored continuously, free during open beta.