PCI DSS 4.0-Compliant Payment Pages — Secured at Runtime
Protect your checkout page and customer data with runtime script integrity, change detection, CSP monitoring, and security telemetry — built for modern, dynamic front-ends.
Why client-side protection matters now?
Your payment page contains multiple JavaScript objects that means risk: third‑party tags, dynamic loaders, inline snippets, browser extensions — and attackers who quietly inject or
swap scripts. Compliance teams also need verifiable evidence for audits.
JSentinel tackles both: it continuously inventories and monitors payment page scripts at runtime, spots changes, and emits
typed security events your SOC can action immediately.
What JSentinel monitors on your pages?
JSentinel monitors payment page scripts in real time, detects web-skimming and fake-site signals, captures CSP and header issues, and produces audit-ready evidence.
1
Script Integrity (Same-Origin)
JSentinel continuously verifies your scripts by hashing all JS and CSS files at runtime and comparing them with your manifest — similar to Subresource Integrity (SRI). This ensures no unauthorized modification occurs.
2
Inline Scripts
It classifies inline scripts as stable or volatile. Stable blocks are hashed and monitored, while volatile ones are flagged for review to detect potential injection attempts.
3
External Scripts (CDN/Remote)
JSentinel validates all external and CDN-based resources. It supports pinned and versioned CDNs, and enforces allow/block rules for dynamically loaded scripts.
4
Dynamic Script Monitoring
JSentinel detects any new script elements or changes to existing ones — instantly alerting you to suspicious dynamic injections.
5
Clipboard Tamper Detection
It compares what users copy and paste to identify hidden manipulations — a common technique in phishing or crypto address replacement attacks.
6
Extension Activity Monitoring
JSentinel watches for browser extension behavior that attempts to access form fields or modify page data, protecting against data exfiltration.
7
Anti-Tamper Protection
Critical browser APIs are guarded in real-time, preventing attackers from overwriting security-sensitive functions.
8
Network Telemetry
Every fetch, XHR, and beacon request is tracked with detailed timing, headers, and response information — offering visibility into your page’s network activity.
9
Headers Visibility
It takes a minimal yet effective snapshot of your site’s security headers (like CSP, HSTS, CORP), helping you identify misconfigurations.
10
CSP Violation Monitoring
Any Content Security Policy (CSP) violations are captured and logged, allowing developers and security teams to analyze and respond quickly to script injection attempts.
Fake-site & Lookalike Domain Signals (new)
Attackers clone your UX on deceptive domains or route your checkout to hostile hosts. JSentinel surfaces signals that commonly appear on fake pages so your team can act fast:
Untrusted Host Loads: (e.g., unpinned third-party script URLs) trigger alerts such as unPinned-url. Use trustedHosts to define your allow-list and reduce noise.
Insecure Protocol Usage (http: where https: is required) is flagged as insecure-protocol.
Policy Anomalies: CSP violations (e.g., a fake checkout loading a script outside script-src) produce structured csp-violation alerts with reason and blocked URI.
Headers Visibility: a minimal snapshot (status + key headers) helps you spot pages served with atypical headers vs. your baseline.
Outbound Telemetry: unexpected calls to unfamiliar endpoints show up in network.request/network.response, aiding triage.
