Detect attackers trying to steal data via first or third-party scripts that you use on your site. Client-Side Protection & Compliance identifies suspicious and malicious script behaviors, and helps you take action to protect your site and visitors. You don't need to deliver your content on Akamai's Intelligent Platform to use Client-Side Protection & Compliance. Apply detections to any website, no matter where you host it.
All contemporary websites run with a constellation of third-parties we depend on to provide vital features like marketing automation, animations, web experience personalization, advertising, analytics, and other widgets that enrich your site’s user experience and inform your business. These third-party vendors do so via code they run on your site. That magic code in turn, relies on your vendor’s vendors who run their own code, which is also connected to your website, and so on.
If you look at an actual working website, the network is extensive:
Blue dots represent requests the original site controls. All other nodes are third parties that connect to the original web site, with direct access to its users through the chain.
This setup creates a large attack surface for your website, which you can't control or track. You may trust your vendors, but you wouldn't know if they or any of their solution providers are compromised.
The code that your third-party vendors run on your site, is separate from your code and your server, so traditional WAF protections aren't part of the mix. More urgently, their code is in contact with your user and can listen in on user entries and send that data wherever it wants.
If a bad actor gains entry to the chain, it's not much different from card skimmers in the physical world who insert their bogus device on a bank machine and wait for users to interact directly with that skimmer, while the bank knows nothing about it and can't protect the user.
When attackers get access via third-party code, they can do nefarious things like copy the payment data every user enters in the shopping cart, intercept your users' credential entries, or deface your site.
Client-Side Protection & Compliance automatically tracks and inventories scripts on payment pages, ensuring their integrity and authorization. Your security team can easily justify the purpose of scripts that are executing on payment pages, with predefined justifications and automated rules.
The solution also monitors for changes in HTTP headers and payment page protections to defend against page tampering. A comprehensive dashboard and dedicated PCI alerts make it easy to rapidly respond to compliance-related events and provide auditing evidence.
Akamai can help you protect your site, even from these hidden threats. Our Client-Side Protection & Compliance detects activity that could be stealing user data, or otherwise interfering with the user experience. You can track and investigate these events to rapidly understand and act on the threat.
Make sure the protection configuration you want to apply is active on production before you try to apply it in a security policy.
Create or edit a security policy (Or, for most Web Application Protector users, just open your security configuration).
On the left side of the screen, under Protections, click In-Browser Protection.
If this protection is off, turn it On.
Select the In-Browser Protection Configuration you want to apply.
Only those active in production appear as choices.
The match target of the security policy you're working in, sets the scope of protections. Within that, you can:
Specify specific pages or paths where you want to always inject or never inject. For example, you may want to always inject detection on sensitive form pages where users enter data, but never inject but never inject on your Accelerated Mobile Page (AMP) pages.
Turn injection on or off for individual requests.
You can enable or disable detection for specific requests in order to conduct unit testing. You do so by inserting a query string parameter as part of the request. You'll find these values in Test Parameters and can use them override other Injection Criteria settings. To:
- Enable detections, include the parameter name and value you see under Force Injection.
- Disable detection, include the parameter name and value you see under Disable Injection.
To learn how to monitor suspicious script activity and take action on incidents, read the Client-Side Protection & Compliance Online Help (login required).
Updated 11 days ago