ScriptPatrol is often introduced as a tool for e-commerce checkout pages, but that undersells what the platform actually does. It is a continuous client-side security monitor for any website that has critical user flows: e-commerce checkouts, online-banking login, SaaS dashboards, healthcare patient portals, government identity pages, internal admin consoles. Wherever a single malicious script could harm the user or the business, ScriptPatrol watches.
This article is a detailed, technical-but-readable map of what the platform monitors today, how it does it at a high level, and what numbers back it up. It is intentionally light on internal engineering — that is a competitive moat — but heavy on the measurable surface of the product.
0. Who needs this — and it is not only e-commerce
Magecart and similar JavaScript supply-chain attacks made checkout pages famous, but the same attack mechanics apply anywhere a sensitive form runs in the browser. Five categories of site benefit from continuous client-side monitoring:
Checkout, cart, customer account — the canonical Magecart targets, and the merchants covered by PCI DSS 6.4.3 / 11.6.1.
Login pages, money-transfer flows, statement downloads — high-value targets where a single rogue script can intercept credentials or transactions.
Tenant dashboards, billing portals, super-admin tools — a compromised tag manager here exfiltrates entire customer databases.
Patient portals, eGovernment identity flows, benefits applications — pages with regulated data that must not leak to unknown third parties.
Heavy tag-manager and analytics use means lots of moving JavaScript and high vendor churn. A continuous inventory catches both performance regressions and unauthorised additions.
1. How the platform is wired (the 30-second tour)
ScriptPatrol runs as a hosted service. You point it at a domain — or install one of our six native e-commerce plugins for one-click setup — and the platform takes care of the rest. At a high level, three components cooperate:
- API layer. Handles authentication, site registration, schedules, report generation, and the dashboard. It is the only part of the platform you ever interact with directly.
- Discovery and scan workers. A pool of headless workers picks scan jobs off a fair-scheduling queue and produces a complete inventory + diff for each scheduled page. Concurrency auto-scales between 2 and 32 parallel browsers depending on host CPU.
- Detection & evidence layer. Diff, vendor matching, malware patterns, header drift, Security Score, and cryptographically timestamped export all live here.
All you ever see is the dashboard and the alerts. The architecture matters because it is tamper-proof from the outside: you do not embed any of our JavaScript on your pages, so an attacker who compromises your site cannot also disable the monitor. That is a deliberate design choice and one we wrote about in detail in our piece on why an embedded JS tag is the wrong way to monitor your scripts.
2. Discovery — finding what is worth monitoring
Monitoring is only as good as the pages you point it at. A homepage scan tells you very little; the real attack surface lives on the small set of pages where users authenticate, transact, or administer the site. ScriptPatrol finds those pages automatically on every new site through four cooperating layers:
XML and HTML sitemaps, plus robots.txt directives, are parsed and de-noised. Robots-disallowed paths are excluded; common noise (locale variants, faceted-search URLs) is filtered out.
Multi-level link following with politeness delays, soft-404 guards, and a Bloom-filter deduplicator sized up to one million URLs at a 0.1% false-positive rate — the crawler scales to very large sites without exploding RAM.
A curated set of 127 universally critical paths is probed directly — /checkout, /login, /account, password reset, admin and common API endpoints — in ten languages, including localised variants such as /prihlaseni, /anmelden and /iniciar-sesion. Each probe is verified to be a real page, not a redirect or soft-404.
Route tables are extracted from React Router, Vue Router and similar SPA bundles to reveal pages that are never linked from HTML — deep account settings, admin sub-routes, hidden flows discoverable only by inspecting the JS.
Two supporting passes run alongside the main layers: an early WAF / bot-protection check (so scans are not silently fed challenge pages), and a framework fingerprint (Shopify, WooCommerce, Magento, PrestaShop, Shoptet and similar) that unlocks platform-specific critical paths.
On top of those layers sits a multilingual page classifier. It identifies what each URL does — checkout, login, registration, password reset, account, admin — across English, German, Czech, Slovak, Polish, Spanish, French, Italian, Portuguese and Dutch. English-only tools routinely miss the critical pages on non-English sites; the classifier closes that gap.
Signal over noise, by default
In a May 2026 live test against 40 random prospect sites, tuning brought the per-site CRITICAL-path count down from a pre-tuning peak of 52 to a maximum of 3. You see the pages that matter, not a wall of weakly-classified URLs.
3. The scan — what we actually capture per page
Each monitored path is scanned on a schedule using a real, fully rendered browser. JavaScript executes; SPA routes resolve; lazy-loaded scripts are observed; cookies and storage state are captured. Every scan produces a complete record:
- All external
<script src>URLs, each fingerprinted with a SHA-256 hash of its loaded content, plus load method (sync / async / defer / dynamic), SRI hash, and HTML attributes (crossorigin,nonce,integrity,type) - All inline scripts (content-hashed, with size, integrity fingerprint, and a preview — we capture edits to the bytes of the page, not just URL changes)
- Eight tracked security headers — Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy
- Outbound redirects (chain, hop count, type), unexpected destination domains, and mixed-content events (HTTP loads on HTTPS pages)
Set-Cookieheaders, HTTP status, response timing, and challenge-page detection signals for trend analysis
WAF presence is detected automatically. Cloudflare, Akamai, and other major bot-mitigation services are recognised on the first scan, and the platform adapts so that protected pages can still be inventoried with no IP allowlisting, no JavaScript tag on your site, and no weakening of your security configuration. The detection–adaptation workflow is covered in detail in our piece on scanning behind Cloudflare.
No silent failures
Every scan result is verified against known challenge-page signatures before being stored as a baseline. If the captured content looks like a bot-mitigation page rather than your real page, the scan is discarded and retried — never reported as success. That single guardrail eliminates an entire class of false-clean reports that competing tools regularly produce.
4. Detection — the layers that read meaning into the inventory
The inventory is one half of the job. The other half is reading meaning into it. Each new scan is compared against the stored baseline and run through several detectors in parallel:
Script change detection
Added scripts, removed scripts, and modified scripts (by content hash) are reported with a full diff. Inline-script edits are compared at the byte level — not just the URL — so stealth injections cannot hide behind an unchanged filename. Diffs are stored, viewable, and exportable.
Magecart and skimmer patterns
Known malicious code patterns — card-data exfiltration to unusual domains, form-field listeners attached to checkout or login inputs, base64-encoded payload obfuscation, suspicious WebSocket and beacon usage — are evaluated on every script every scan. Suspect matches are escalated as CRITICAL alerts and never delayed by learning-mode windows.
Vendor and supply-chain risk
Each external script is matched against an internal database of 194 known vendors — analytics, payments, CDN, A/B testing, chat, tag managers, consent platforms, customer-data platforms. Unknown domains are weighed for typosquatting against the trusted set. New fourth-party loads (a known vendor that begins pulling in a previously unseen third party) are surfaced explicitly, because that is the classic compromise path.
Security header drift
CSP, HSTS, X-Frame-Options, and friends are tracked as their own baseline. Weakening a CSP (loosening script-src, removing frame-ancestors) or removing HSTS is treated as a high-severity event, even if no script changed.
Redirect & domain-reputation analysis
Outbound network behaviour is mapped. New redirect chains, freshly registered destination domains, and domains with no reputation history are surfaced for review — even if no script tag changed and the headers look fine.
Security Score
Every site receives a per-path and overall A+ to F grade, blending header hardening, vendor risk, change volatility, and detector findings. The score is the single-glance answer to “is this site getting better or worse?” over time, and an effortless reporting line item for security and executive stakeholders.
5. Smart change triage — killing alert fatigue
Real websites change constantly. Tag managers rotate URLs every deploy. Analytics vendors cache-bust their scripts. CDNs append fingerprints. WAFs rotate tokens. Naively flagging every byte-level diff produces a review queue no one ever reads. ScriptPatrol uses four layers of triage that together make the alert flow trustworthy:
- Canonical-identity matching. Scripts are matched between scans by a stable identity, not by raw URL. Cache-busting query parameters, version suffixes, and WAF token rotations collapse into a
benignRefreshstate and are excluded from both alert flow and risk scoring. - Chronic-churn detection. Each script identity has a rolling 14-day history (up to 10 recent observations) attached to it. Scripts that have churned continuously for weeks are weighted differently from scripts that have been stable for months and suddenly mutate. The former are noise; the latter is the signal you want at the top of the queue.
- Learning mode. For the first 7 days on a new site (extendable when the site keeps changing), routine churn is observed before alerting — the same pattern that lets a junior analyst learn what is “normal” for a site before paging anyone. Malware-pattern matches bypass this window and alert immediately.
- WAF allowlist. Cloudflare and similar challenge-platform scripts are automatically known-and-allowed, so they never count against your Security Score or fill up your alert inbox.
Triage in numbers (live customer telemetry, May 2026)
Two anonymised beta customer sites observed in May 2026. Site A's churn was entirely cache-bust and WAF token rotation (correctly auto-resolved). Site B had 411 genuine vendor changes during a marketing-stack rollout (correctly kept). Triage does not lose signal — it removes noise.
6. Evidence and compliance — proof that holds up under audit
Detection is useful in the moment; evidence is useful months later when somebody comes asking. Every scan ScriptPatrol performs is stored with a cryptographic timestamp. Snapshots are linked into a hash chain so that no individual scan record can be silently altered after the fact. Reports are exportable as PDF, with a full diff history and a verifiable evidence trail.
For merchants who fall under PCI DSS Requirements 6.4.3 and 11.6.1 (SAQ A-EP and SAQ D, since March 2025), the same evidence satisfies the script inventory and change-detection obligations — without you assembling anything manually. If you are unsure whether 6.4.3 and 11.6.1 apply to your business, our PCI DSS script-requirements explainer walks through it in plain language.
7. Built for scale — without slowing anyone down
The platform is designed to keep critical pages monitored on schedule even as the number of sites grows. Three properties make that possible:
- Fair scheduling. Scan jobs are dispatched through a fair-scheduling queue so a single tenant with thousands of paths cannot monopolise capacity. Critical paths are always served first.
- Auto-scaled concurrency. Worker concurrency scales between 2 and 32 parallel browsers based on host CPU. When traffic dips, the platform sheds idle workers; when load grows, it spins up more — transparently to you.
- Polite domain rate-limiting. A per-domain limit caps concurrent requests at four, with randomised 250–1000 ms politeness delays between probes. We monitor your sites the way a careful real visitor would — no surprise traffic spikes, no triggering your own DDoS protection.
On top of all of that sits a 1,551-test automated suite (1,424 backend + 127 frontend) that must pass on every change. This is what lets us ship improvements weekly without quietly breaking the things customers already depend on.
For merchants on supported e-commerce platforms, the same architecture is reachable in around two minutes via our native plugins for WooCommerce, PrestaShop, Magento 2, BigCommerce, OpenCart, and Shoptet. But the platform is just as useful for any website you can give a URL to.
8. The numbers, all in one place
| Capability | Measured value |
|---|---|
| Common critical paths probed per site | 127 |
| URL deduplication capacity | up to 1,000,000 (0.1% FP) |
| Page-classifier language coverage | EN, DE, CS, SK, PL, ES, FR, IT, PT, NL |
| Security headers tracked | 8 (CSP, HSTS, XFO, …) |
| Vendors in script intelligence | 194 |
| E-commerce integrations | 6 platforms |
| Worker concurrency range | 2–32 parallel browsers |
| Per-domain concurrency cap | 4 (250–1000 ms delays) |
| Authenticated-session reuse TTL | up to 24 hours |
| Learning mode window | 7 days (extendable) |
| Chronic-churn lookback | 14 days / 10 observations |
| Security Score scale | A+ → F |
| Backend automated tests | 1,424 |
| Frontend automated tests | 127 |
| Max CRITICAL paths reported per site after tuning | 3 (down from 52) |
Figures as of May 26, 2026. Test counts reflect the main branch suite that gates every release.
What this adds up to
Most client-side security tools do one piece well — sometimes inventory, sometimes alerting, occasionally compliance reporting. ScriptPatrol is built so that every piece is reliable on its own and meaningful when combined: a complete map of what to watch, a clean inventory of what runs, a calm signal when something matters, and audit-grade evidence when someone asks for proof. All of it without a JavaScript tag on your site and without holes left by WAF protection.
If you would like to see what your own site looks like through it, the platform is currently in free open beta — no credit card, no expiring trial. Read more in our open-beta announcement, or sign up and run your first scan in under five minutes.
Frequently asked questions
Is ScriptPatrol only for e-commerce, or for any website?
ScriptPatrol works on any website that has critical user flows — checkout, login, account, password reset, admin, or any page where a malicious script could harm the user or the business. That includes e-commerce, online banking, SaaS dashboards, healthcare portals, and government sites. The detection logic is the same; only the page classifier prioritises which paths get the highest watch level.
What does ScriptPatrol actually detect on a website?
Every first-party and third-party script loaded on monitored pages (URL + SHA-256 hash), every byte-level change to inline scripts, modifications to eight tracked security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy), unexpected redirects, known malicious patterns, vendor risk (typosquatting, new fourth-party loads), and chronic-churn anomalies.
How does ScriptPatrol find the pages worth monitoring on a new site?
A multi-layer discovery engine combines sitemap and robots.txt mining, recursive crawling with a Bloom-filter dedup capable of holding up to one million URLs at a 0.1% false-positive rate, direct probing of 127 common critical paths in ten languages, and JavaScript bundle analysis (React, Vue, Angular route tables). Pages are then classified by criticality.
Does ScriptPatrol generate noisy alerts when scripts change frequently?
No. A canonical-identity matcher collapses cache-busting, query-string churn, and WAF token rotations into a benignRefresh state. A chronic-churn detector uses a 14-day rolling history (10 recent observations per identity) to weight stable-then-changed scripts higher than chronically noisy ones. A learning mode (7 days by default, extendable) suppresses alerts on day one. On a real customer site this triage took 28 review-queue items down to 0 without dropping any of the 411 genuine changes detected on a second site.
How does ScriptPatrol handle Cloudflare- or WAF-protected pages?
WAF presence is detected automatically on first scan; the platform adapts so protected pages can still be inventoried with no IP allowlisting, no embedded JavaScript tag, and no weakening of your security configuration. Every result is verified against known challenge-page signatures before being stored as a baseline — bot-mitigation pages are never reported as a clean scan.
Does the platform produce audit-grade evidence?
Yes. Every scan is stored, and snapshots are linked into a Merkle hash chain so any individual scan record can be cryptographically verified — the chain of evidence stays intact even months later. Reports are exportable as PDF. For merchants subject to PCI DSS 6.4.3 and 11.6.1 (SAQ A-EP and SAQ D since March 2025) the same evidence satisfies the script inventory and change-detection requirements.
Key takeaways
- ScriptPatrol monitors any website with critical user flows — e-commerce, banking, SaaS, healthcare, government — not just checkout pages.
- A multi-layer discovery engine probes 127 critical paths in 10 languages and reliably maps the attack surface on any site.
- Eight tracked security headers and 194 catalogued vendors are matched on every scan, so unfamiliar additions surface immediately.
- Canonical-identity matching + chronic-churn detection cut review-queue noise without losing real signal.
- WAF-protected pages are inventoried with zero configuration changes and never reported as false-clean.
- PCI DSS 6.4.3 and 11.6.1 evidence is Merkle-chained and assessor-ready.
- Architecture scales to 100+ sites with fair scheduling, auto-scaled 2–32 concurrency, and a 1,551-test safety net.
See What Runs on Your Site — in Under 5 Minutes
Add your domain, watch the discovery engine map your critical paths, and get your first Security Score and script inventory before your coffee gets cold.
Start Free — No Card Required