Page Protection

Track third party scripts and page security headers to protect your page from malicious changes.

How it works

Page Protection works by intercepting requests to all third-party scripts on your page (yes, even our own!). We monitor the source code for every script load and trigger an alert if any changes are detected. We also monitor for new scripts being added to a page as well as changes to security headers.

Evervault Page Protection helps protect companies from sophisticated card data breaches, while directly addressing new requirements in PCI DSS Version 4:

• Prevent Unauthorized Scripts (6.4.3)
• Verify Script Integrity (6.4.3)
• Maintain a Script Inventory (6.4.3)
• Header Tamper and Change Detection (11.6.1)

With monitoring and alerting, you'll detect potentially malicious JavaScript changes before they impact your customers — without the noise.

Getting Started

To get started with page protection, you need to register the page you want to monitor. Inside of the Evervault Dashboard, navigate to the Page Protection tab and click on Add Page. Specify the URL where your page is hosted, and an optional name to help identify the page. After creating the page, you will be guided through the process of installing the monitoring script on your page.

Monitoring

Once you have successfully deployed the monitoring script, any third party script or security header changes made on your page will be tracked by Evervault. These changes will appear inside of the Evervault Dashboard as alerts allowing you to review, approve, and provide a reason for each change that's been detected. You can see all resolved issues in the Resolved tab, including the reviewer and reason for the change:

Alerting

To receive alerts for changes to your page, enable Page Protection events by navigating to App → Settings → Webhooks → Create Endpoint. Slack and standard webhooks are supported. You can subscribe to the following events:

Auditing

All scripts and headers detected are stored for auditing purposes. From each inventory tab, you can export a CSV of all scripts and headers detected.

Script Inventory

Under the Scripts view, you can see an inventory of all scripts detected on the page. Click on a script to see its details, including the latest source code, reason for approval, and the history of changes and reviews:

Headers

Under the Headers view, you can see an inventory of all security headers detected on the page. You can copy the latest headers to your clipboard, or navigate the history of changes:

Frequently Asked Questions

Which headers does Evervault monitor?

We only monitor security headers that are used to protect against attacks like XSS and clickjacking:

1Content-Security-Policy
2Content-Security-Policy-Report-Only
3Cross-Origin-Embedder-Policy
4Cross-Origin-Opener-Policy
5Cross-Origin-Resource-Policy
6Permissions-Policy
7Referrer-Policy
8Report-To
9Reporting-Endpoints
10Strict-Transport-Security
11X-Content-Type-Options
12X-Frame-Options
13X-Permitted-Cross-Domain-Policies
14X-XSS-Protection

Does Page Protection track self-hosted scripts?

Any scripts that are hosted on your own domain are not tracked by Page Protection. This includes any third-party code that is installed via a package manager like npm and bundled with your application.

Since these scripts are part of your static application bundle, they can be analyzed before deployment. We recommend using code analysis tools during your build process to monitor for potential security threats.

OWASP maintains a list of source code analysis tools.

Can I enable Page Protection on localhost?

Yes, you can enable Page Protection on localhost. You will need to add the following attribute to your monitoring script tag:

1<script src="https://monitoring..." data-local-mode></script>

You can also enable debug logs with the following attribute:

1<script src="https://monitoring..." data-log-level="DEBUG"></script>

Can I disable proxying for specific scripts?

By default, all scripts are proxied through the monitoring endpoint. This ensures that the scripts running on the page match the versions being analyzed.

However, some scripts may not function correctly when proxied. In such cases, you can use the data-proxy-bypass attribute on the monitoring script. This attribute accepts a comma-separated list of script sources that bypass proxying while still being monitored.

1<script
2  src="https://monitoring..."
3  data-proxy-bypass="js.stripe.com,applepay.cdn-apple.com"
4></script>

Can I enable Page Protection on specific pages?

Yes, how you enable it depends on how your site is built:

1. For server-side rendered sites

Include the monitoring script on every page you want to track.

2. For client-side rendered sites

You can control monitoring dynamically:

1window.EvervaultMonitoring.enable();
2window.EvervaultMonitoring.disable();

To set whether monitoring is enabled by default on page load, use the data-default-enabled attribute in the script tag:

1<script src="https://monitoring..." data-default-enabled="false"></script>

By default, data-default-enabled is set to true, so monitoring starts automatically unless explicitly disabled.

What should I do if I don't recognize a change?

If you don't recognize a change we've detected, don't resolve the issue just yet. Follow these steps:

• If a new script is added, confirm with your engineering team that the script was meant to be added. If not, another script may have loaded it.
• If a script has been updated, check with the third-party script provider to find out what changes they included. You should also confirm with your engineering team that the change is safe, or if the script should be removed.
• If your security headers have been updated, confirm with your engineering team that the update was expected. If not, your team may need to update their security configuration.

Once you've confirmed the change, include the reason in your review and resolve the issue.