---
title: Monitoring your inventory
summary: null
url: >-
  https://www.fastly.com/documentation/guides/security/client-side-protection/monitoring-your-inventory
---

Client-Side Protection automatically creates an inventory for each [Page](https://www.fastly.com/documentation/guides/security/client-side-protection/managing-websites-and-pages/#managing-pages) you define. An inventory is a collection of the client-side scripts and [security-impacting response headers](https://www.fastly.com/documentation/guides/security/client-side-protection/monitoring-your-inventory#monitoring-response-headers) that Fastly observes loading on end users' browsers. Reviewing your inventory helps you identify unauthorized scripts or suspicious changes that may indicate a security issue, such as a Magecart attack.

## Before you begin

Before Fastly creates an inventory for your Page, you must [set up Client-Side Protection](https://www.fastly.com/documentation/guides/security/client-side-protection/getting-started) by creating at least one website and Page.

## Reviewing inventoried scripts

For each observed script in the inventory, you can add an authorization status to help keep track of which scripts you've reviewed for legitimacy. If a script shouldn't be loading, investigate the issue and take action accordingly.

To add an authorization status, complete the following steps:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Client-Side Protection** > [**Inventory**](https://manage.fastly.com/security/inventory).

3. From the Pages bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the Page name and select a Page.
4. Click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to the right of the script you want to add an authorization status for.
5. From the **Authorized** menu, leave **Yes** selected to authorize the script. Select **No** to not authorize the script.
6. In the **Justification** field, enter the reason the script is authorized or not authorized.
7. Click **Update**.

When Fastly detects changes to a script that has an authorization status, Fastly resets the authorization status.

## Monitoring response headers

Fastly logs the following security-impacting response headers for all responses that have the `Content-Security-Policy-Report-Only` response title:

- `Access-Control-Allow-Origin`
- `Content-Security-Policy`
- `Cross-Origin-Embedder-Policy`
- `Cross-Origin-Opener-Policy`
- `Cross-Origin-Resource-Policy`
- `Permissions-Policy`
- `Referrer-Policy`
- `Strict-Transport-Security`
- `X-Content-Type-Options`
- `X-Frame-Options`
- `X-XSS-Protection`

You can view the last-logged response header values from the Response headers tab on the [Inventory](https://manage.fastly.com/security/inventory) page. Every three days, Fastly also sends a list of response headers that changed to the [email address you defined](https://www.fastly.com/documentation/guides/security/client-side-protection/managing-websites-and-pages#managing-pages) on the associated Page. These changes are grouped into 60-minute periods. If you think a response header value is dangerous, investigate the issue and take action accordingly.

## What's next

After reviewing your inventory, you can [create a policy](https://www.fastly.com/documentation/guides/security/client-side-protection/managing-your-policy) to control which resources browsers are allowed to load.