Disclaimer:
All information provided on this page was developed by TPimenta LAB. Please consult the official documentation for the most accurate and up-to-date information. We are not responsible for any issues, damages, or data loss that may occur from using this information.

USE AT YOUR OWN RISK.
🚨 Page Shield Alert
Interactive Lab Client-side Security
Formerly Page Shield Β· Now Client-side Security

Cloudflare Page Shield Lab

Protect website visitors from client-side attacks like Magecart. Walk through a live supply-chain attack and see how Page Shield detects, scores, and blocks malicious scripts using CSP.

🌐
Browser loads page scripts, fetches, cookies
β†’
πŸ“‹
CF injects CSP header report-only directive
β†’
πŸ“‘
Browser reports to CF CSP violation reports
β†’
πŸ€–
ML analysis Magecart Β· crypto Β· malware
β†’
🚨
Alert & block CSP enforcement header
⬀ Normal Operation
⚑ Supply Chain Attack
πŸ”¬ ML Detection
πŸ“‘ Exfiltration Attempt
πŸ›‘οΈ CSP Enforcement
Magecart Attack Simulation
πŸ”’ shop.example.com/checkout
πŸ›’ 2 items
Secure Checkout
Premium Widget Γ—1$49.99
Shipping$4.99
Total$54.98
πŸ”’ 256-bit SSLβ€’PCI DSS Compliantβ€’Powered by Stripe
Scripts on this page
cdn.example.com/app.js
ajax.googleapis.com/jquery-3.7.0.min.js
js.stripe.com/v3/
πŸ’³ Card data being exfiltrated…
exfil.evil-tracker.io
πŸ›‘οΈ Blocked by Cloudflare Page Shield
cdn.evil-tracker.io violated Content-Security-Policy and was never executed.
πŸ›‘οΈ
Page Shield Dashboard
shop.example.com Β· Cloudflare
Monitoring active
Overview
Scripts 3
Connections 2
Cookies 3
Policies
CSP Headers
3
Scripts
2
Connections
3
Cookies
0
Threats
Activity Log
[00:00:01] βœ… Script approved: cdn.example.com/app.js
[00:00:01] βœ… Script approved: ajax.googleapis.com/jquery-3.7.0.min.js
[00:00:02] βœ… Script approved: js.stripe.com/v3/
[00:00:03] βœ… Connection approved: api.stripe.com
[00:00:03] βœ… Connection approved: www.google-analytics.com
[00:00:04] πŸͺ Cookie detected: _session (HttpOnly, Secure)
[00:00:04] πŸͺ Cookie detected: _ga (analytics)
Detected Scripts All Approved
Outbound Connections
Detected Cookies
_session
HttpOnly βœ“Secure βœ“SameSite=StrictFirst-party
_ga
HttpOnly βœ—Secure βœ“Third-party analytics
stripe_sid
HttpOnly βœ“Secure βœ“SameSite=NonePayment processor
Content Security Rules
Allow approved scripts
Mode: Log Β· Status: Active
script-src 'self' cdn.example.com ajax.googleapis.com js.stripe.com
Block unauthorized scripts
Mode: Enforce Β· Status: Active
script-src 'self' cdn.example.com ajax.googleapis.com js.stripe.com; /* cdn.evil-tracker.io β†’ NOT in allowlist β†’ BLOCKED */
πŸ’‘ Log rules generate Content-Security-Policy-Report-Only headers β€” scripts run but violations are reported.
πŸ’‘ Enforce rules generate Content-Security-Policy headers β€” unauthorized scripts are blocked by the browser.
HTTP Response Headers injected by Cloudflare
Content-Security-Policy-Report-Only
script-src 'self' cdn.example.com ajax.googleapis.com js.stripe.com; connect-src 'self' api.stripe.com www.google-analytics.com; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?from=pageshield
How Cloudflare injects these headers:
1. Cloudflare sits as a reverse proxy between the internet and your origin server
2. When your server returns an HTTP response, Cloudflare adds the CSP header before forwarding it to the browser
3. The browser enforces the CSP and sends violation reports back to Cloudflare's reporting endpoint
4. Page Shield processes these reports to build a list of all scripts & connections on your site
5. Enterprise ML: Cloudflare downloads each script and runs it through classifiers for Magecart, cryptomining, and malware
πŸ” What Page Shield monitors
Scripts β€” Every JS file loaded by your pages. Tracked by URL, hash, and page attribution.

Connections β€” Outbound fetch / XHR / WebSocket calls made by those scripts. Flagged if destination is unknown or malicious.

Cookies β€” All cookies set and read, with security attribute analysis (HttpOnly, Secure, SameSite).
πŸ€– ML Scoring (Enterprise add-on)
Cloudflare downloads each detected script and runs it through machine learning classifiers:

Magecart score β€” Credit-card skimming code
Crypto mining score β€” Unauthorized browser mining
Malware score β€” General malicious behavior
JS Integrity score β€” Overall code trustworthiness

Score scale: 1–99
1 = definitely malicious ←→ 99 = definitely safe

Example: a Magecart score of 6 indicates a near-certain credit card skimmer. A score of 97 means the script is almost certainly clean.
πŸ›‘οΈ CSP-based enforcement
Report-only (Log mode)
Header: Content-Security-Policy-Report-Only
Scripts execute, but violations are reported to Cloudflare. Zero customer impact during monitoring.

Enforcement (Block mode)
Header: Content-Security-Policy
Unauthorized scripts are blocked by the browser before they run. No code can execute β€” no data can be stolen.