Page Protection

Track third party scripts and page security headers to protect your page from malicious changes.

Evervault Page Protection helps protect companies from sophisticated card data breaches, while directly addressing new requirements in PCI DSS Version 4:

• Prevent Unauthorized Scripts (6.4.3)
• Verify Script Integrity (6.4.3)
• Maintain a Script Inventory (6.4.3)
• Header Tamper and Change Detection (11.6.1)

With monitoring and alerting, you'll detect potentially malicious JavaScript changes before they impact your customers — without the noise.

Getting Started

In the Compliance tab in the Evervault dashboard click Add Page

Specify the expected URL where it will be hosted, and an optional name to help identify the page.

To enable monitoring, follow the quickstart steps to add a script tag to your page:

Once deployed, any third party script or security header changes made on your page will be tracked by Evervault.

Enable Alerts

To receive alerts for changes to your page, enable Page Protection events by navigating to App → Settings → Webhooks → Create Endpoint. Slack and standard webhooks are supported.

Select the following events:

Monitoring

Once our script detects a change, you will see new issues appear on the Open issues tab:

Review and approve each issue that's been detected, providing a reason for the change if you have one.

Once approved, the issue will be marked as resolved. You can see all resolved issues in the Resolved tab, including the reviewer and reason for the change:

Auditing

All scripts and headers detected are stored for auditing purposes. From each inventory tab, you can export a CSV of all scripts and headers detected.

Scripts

Under the Scripts tab, you can see an inventory of all scripts detected on the page.

Click on a script to see its details, including the latest source code, reason for approval, and the history of changes and reviews:

Headers

Under the Headers tab, you can see an inventory of all security headers detected on the page.

You can copy the latest headers to your clipboard, or navigate the history of changes:

FAQs

How does Page Protection work?

Page Protection works by intercepting requests to all third-party scripts on your page (yes, even our own!). If a script is detected as new or has changed, you will receive an alert.

We also monitor changes to security headers that have changed on your page.

Which headers does Evervault monitor?

We only monitor security headers that are used to protect against attacks like XSS and clickjacking:

Does Page Protection track self-hosted scripts?

Any scripts that are hosted on your own domain are not tracked by Page Protection. This includes any third-party code that is installed via a package manager like npm and bundled with your application.

Since these scripts are part of your static application bundle, they can be analyzed before deployment. We recommend using code analysis tools during your build process to monitor for potential security threats.

OWASP maintains a list of source code analysis tools.

Can I enable Page Protection on localhost?

Yes, you can enable Page Protection on localhost. You will need to add the following attribute to your monitoring script tag:

You can also enable debug logs with the following attribute:

What should I do if I don't recognize a change?

If you don't recognize a change we've detected, don't resolve the issue just yet. Follow these steps:

• If a new script is added, confirm with your engineering team if this script was expected to be added. If not, another script may have loaded it.

• If a script has been updated, we recommend checking with the third-party script provider what changes they included. You should also confirm with your engineering team if this change is safe, or the script should be removed.

• If your security headers have been updated, confirm with your engineering team if this change was expected. If not, your team may need to update their security configuration.

Once you've confirmed the change, include the reason in your review and resolve the issue.