Frequently asked questions
Questions about client-side security, answered
How ScriptPatrol works, what it detects, how it fits alongside your WAF and CSP, what it costs, and how your data is handled. Still stuck? Reach out — a human reads every message.
How it works
The basics — what ScriptPatrol watches and how it sees it.
- What does ScriptPatrol monitor that my WAF and server can't see?
- Firewalls and servers protect your infrastructure, but they cannot see the JavaScript that actually executes in your users' browsers — which is exactly where Magecart and supply-chain skimmers operate. ScriptPatrol loads your checkout, login, and admin pages like a real visitor, catalogs every script with a SHA-256 hash, and alerts you when an unauthorized or unexpected script appears or changes.
- Do I need to install anything on my website?
- No — nothing to install and no code to embed, ever. ScriptPatrol monitors your pages externally, the way any visitor loads them, with zero impact on performance, and it works on sites behind Cloudflare and bot protection out of the box. If your firewall is strict and you want a clean, unthrottled scan, you can optionally allowlist ScriptPatrol with a single "skip" rule in your WAF — still no code. It is fully optional: skip it and monitoring just runs in standard mode.
- What is the Security Score?
- Every monitored page gets an A+ to F Security Score built from your response headers, TLS configuration, and live script integrity against a known baseline. It lets you see and prove your client-side security posture at a glance and track it over time.
Detection & coverage
What ScriptPatrol catches, and how it tells signal from noise.
- How does ScriptPatrol detect Magecart and supply-chain attacks?
- Every script change is scored from 0 to 100 and explained for your exact platform and page type — not a generic "suspicious activity" ping. Injected skimmers, compromised third-party code, and silently modified scripts get caught and explained. Routine vendor updates are recognized and filtered out, so an alert always means something worth your attention.
- Can ScriptPatrol show me where my pages send data?
- Yes. As it scans a page, ScriptPatrol maps every destination that page contacts, separates your own domain from third-party endpoints, names the vendors it knows, and flags destinations it does not recognize. A destination you never authorized — quietly receiving what your visitors type — is a classic sign of a skimmer siphoning passwords, card numbers, or personal data.
- Can ScriptPatrol catch unauthorized scripts between scans?
- Yes. Point your site's Content-Security-Policy report-uri at ScriptPatrol and your visitors' browsers will report blocked or unexpected scripts the moment they occur, in between scheduled scans. Each runtime report is matched against your script baseline, risk-scored, timestamped, and shown in your dashboard. Turning it on is a single response-header directive — still no code or agent on your site.
- What happens if an unauthorized change is detected?
- When a change is detected, it is logged with a timestamp, scored by the risk engine, and surfaced in your dashboard and reports. You can configure email and Slack alerts so your team is notified as soon as a scan detects it, with an AI-written explanation of what changed and what to check first.
Setup & compatibility
Getting started, supported platforms, and authenticated pages.
- How do I get started, and how long does setup take?
- Run a free scan of any page to see your Security Score and script inventory in about a minute — no account required. When you are ready for continuous monitoring, create a free account and add the pages you want watched. Setup takes a few minutes, and there is nothing to install on your site.
- Which platforms and tech stacks does it work with?
- ScriptPatrol uses external browser-based scanning, so it works with any platform or framework: WooCommerce, Magento, Shopify, BigCommerce, OpenCart, and Shoptet, as well as custom and in-house stacks, SaaS apps, and headless or decoupled architectures. No installation and no code changes.
- What if my checkout or admin page requires login?
- Many critical pages support guest access and are reachable without authentication. If a monitored page requires login, you can provide test credentials during setup and ScriptPatrol will handle authenticated sessions automatically for ongoing monitoring. Any credentials you provide are encrypted at rest with AES-256.
Compliance & data
PCI DSS evidence and how ScriptPatrol handles your data.
- Can I use ScriptPatrol reports for PCI DSS evidence?
- Yes, where it applies. You can export PDF reports with a full script inventory and change history. For merchants who file PCI DSS SAQ A-EP or SAQ D, these map directly to the script-inventory (6.4.3) and change-detection (11.6.1) evidence those assessments ask for. Most small e-shops use a hosted or redirect payment page and file SAQ A, which since March 31, 2025 no longer requires 6.4.3 or 11.6.1 — but client-side monitoring still protects your customers and your brand.
- Where is my data stored, and is it private?
- Your data is hosted in Germany (EU). ScriptPatrol uses no tracking cookies and no third-party analytics. For your monitored sites it stores script URLs and SHA-256 content hashes — not the full content of third-party scripts — and any site credentials you provide are encrypted at rest with AES-256. The full record of what is collected and why is in our Privacy Policy.
Pricing & fit
What it costs and how it sits alongside your existing tools.
- How much does ScriptPatrol cost?
- ScriptPatrol is free during open beta — monitor up to 3 sites with unlimited pages each, no credit card required. Beta users will get plenty of notice before any paid plans are introduced.
- Is ScriptPatrol a replacement for my WAF, CSP, or security grader?
- No — it is the layer they cannot cover. A WAF protects your infrastructure, a CSP restricts which scripts may run, and a header grader scores your configuration. None of them see whether the live JavaScript on your page still matches a trusted baseline. ScriptPatrol is built to sit beside them and fill that blind spot. If you run a CSP with a report-uri, you can even point it at ScriptPatrol to capture runtime violations between scans.
Still have a question?
Run a free scan to see exactly how ScriptPatrol reads your pages, or email us — a human answers, not a bot.