Client-side security glossary

An umbrella name for the cybercriminal groups and techniques that inject malicious JavaScript into e-commerce sites to steal payment-card and personal data as customers enter it at checkout. Because the code runs in the visitor’s browser, the theft is invisible to server-side and network defenses.

Secretly injecting code into a website to capture sensitive data — card numbers, credentials, personal details — as visitors type it in. Also called digital skimming or e-skimming; Magecart is its best-known form.

A web-skimming technique in which malicious JavaScript intercepts data entered into a web form — login, checkout, or registration — before it is submitted to the legitimate server.

Security concerned with what happens inside the visitor’s browser — which JavaScript runs and where it sends data — rather than only the server or network. It complements, and does not replace, server-side and infrastructure controls.

An attack that compromises a trusted third party — a vendor, library, or hosted script — to reach everyone who depends on it. On the web, a single compromised analytics, widget, or tag-manager script can affect every site that loads it.

JavaScript loaded from a domain other than your own — analytics, payment widgets, chat, tag managers. Essential to modern sites, but each one is code you do not control, running on your page.

Assurance that the JavaScript running on a page has not changed from an approved version. It is typically verified by hashing each script (for example with SHA-256) and comparing it against a known baseline.

A recorded snapshot of the scripts and security headers a page is supposed to have. Later scans are compared against this baseline, and any added, removed, or modified script is flagged as a change to review.

ScriptPatrol’s letter grade for a page, combining its HTTP security headers, TLS configuration, and live script integrity against a baseline into a single figure you can track over time and show to an assessor.

An HTTP response header that tells the browser which sources may load scripts, styles, and other content. A strong CSP shrinks the attack surface, and its report-uri directive can send violation reports to a monitor — including ScriptPatrol — to catch unexpected scripts at runtime.

An HTML attribute that pins an external script or stylesheet to a known cryptographic hash, so the browser refuses to run it if the file changes. It is effective for static files but cannot cover scripts that are generated or legitimately change at runtime.

A filter that sits in front of a web server and blocks malicious requests. It protects your infrastructure, but it operates before the browser — so it cannot see a skimmer that runs entirely client-side after the page has loaded.