Get started with client-side security
To enable client-side resource monitoring:
-
In the Cloudflare dashboard, go to the Security Settings page.
Go to Settings -
(Optional) Filter by Client-side abuse.
-
Turn on Continuous script monitoring.
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Client-side security.
- Go to the Settings tab.
- Next to Continuous monitoring and alerting, select Enable.
If you do not have access to client-side security settings in the Cloudflare dashboard, check if your user has one of the necessary roles.
When you enable client-side resource monitoring, it may take a while to get the list of detected scripts in your domain.
To review the scripts detected by Cloudflare:
-
Go to the client-side resources page:
-
In the Cloudflare dashboard, go to the Web assets page.
Go to Web assets -
Select the Client-side resources tab.
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Client-side security.
-
-
Review the list of detected scripts, checking for any unknown or unexpected scripts.
Depending on your plan and subscriptions, Cloudflare will also:- Inform you if a script is considered malicious.
- Show the details about each detected script.
Depending on your Cloudflare plan, you may be able to also review the connections made by scripts in your domain's pages and check them for malicious activity.
Once you have activated client-side security's resource monitoring, you can set up one or more alerts informing you of relevant client-side changes on your zones. The available alert types depend on your Cloudflare plan and subscriptions.
To configure an alert:
-
In the Cloudflare dashboard, go to the Notifications page.
Go to Notifications -
Choose Add and then select Client-side security (formerly Page Shield) in the Product dropdown.
-
Select an alert type.
-
Enter the notification name and description.
-
(Optional) If you are an Enterprise customer with a paid add-on, you can define the zones for which you want to filter alerts in Rules of these zones. This option requires that you define content security rules in the selected zones.
-
Select one or more notification destinations (notification email, webhooks, and connected notification services).
-
Select Create.
To learn how you can handle an alert, refer to Handle a client-side resource alert.
Content security rules (previously called policies) define allowed resources on your websites. Create content security rules to implement a positive security model1.
When you create a content security rule with the Log action, Cloudflare logs any resources not covered by the rule, without blocking any resources. Use this action to validate a new rule before deploying it.
-
In the Cloudflare dashboard, go to the Security rules page.
Go to Security rules -
Select Create > Content security rules.
-
Enter a descriptive name for the rule in Description.
-
Under If incoming requests match, define the scope of the content security rule (or policy). You can use the Expression Builder (specifying one or more values for Field, Operator, and Value) or manually enter an expression using the Expression Editor. For more information, refer to Edit expressions in the dashboard.
-
Under Allow these directives, select the desired CSP directives for the content security rule by enabling one or more checkboxes.
-
To manually enter an allowed source, select Add source.
-
To refresh the displayed sources based on detected resources, select Refresh suggestions.
-
- Under Then take action, select Log.
-
To save and deploy your rule, select Deploy.
-
Log in to the Cloudflare dashboard ↗ and select your account and domain.
-
Go to Security > Client-side security > Rules.
-
Select Create rule.
-
Enter a descriptive name for the rule in Description.
-
Under If incoming requests match, define the rule scope. You can use the Expression Builder (specifying one or more values for Field, Operator, and Value) or manually enter an expression using the Expression Editor. For more information, refer to Edit expressions in the dashboard.
-
Under Allow these directives, select the desired CSP directives for the rule by enabling one or more checkboxes.
-
To manually enter an allowed source, select Add source.
-
To refresh the displayed sources based on detected resources, select Refresh suggestions.
-
- Under Then take action, select Log.
-
To save and deploy your rule, select Deploy.
Resources not covered by the content security rule you created will be reported as rule violations. After some time, review the list of rule violations to make sure the rule is correct.
To view rule violation information:
-
In the Cloudflare dashboard, go to the Security rules page.
Go to Security rules -
(Optional) Filter by Content security rules.
- In the Cloudflare dashboard, go to Security > Client-side security > Rules.
The displayed information includes the following:
- A sparkline next to the rule name, showing violations in the past seven days.
- For content security rules with associated violations, an expandable details section for each rule, with the top resources present in violation events and a sparkline per top resource.
Update the rule if needed.
Once you have verified that your content security rule is correct, change the rule action from Log to Allow.
When you use the Allow action, Cloudflare starts blocking any resources not explicitly allowed by the rule.
-
A positive security model is one that defines what is allowed and rejects everything else. In contrast, a negative security model defines what will be rejected and accepts the rest. ↩