Client-side protection refers to the security tooling, practices and strategies aimed at protecting the end user, or the “client’s” browser as they navigate the web. Client-side protection helps identify (and prevent) any threats to a user as they interact with a website.
As the web becomes more complex, with highly dynamic content, there are increasing opportunities for bad actors. Client-side protection helps to secure users (clients) as they browse the web, securing scripts, form fills and clients’ sensitive data. Client-side is the essential “watch dog” for clients navigating the internet, focused specifically on securing their experience.
How does client-side protection work?
At the simplest level, client-side protection works by observing behavior within a browser, as users are navigating it. This provides real-time insight into anything suspicious. Some security tools focus on identifying known security vulnerabilities or behaviors.
Client-side solutions go a layer deeper, looking at how scripts are behaving. These scripts are sequences of code that run directly inside your web browser with the purpose of making web pages dynamic or interactive.
Client-side tools typically perform the following practices:
They monitor how JavaScript (one of the scripts we mentioned above) are executing on a page - essentially an analysis of whether things are loading and behaving as they should.
They identify any suspicious or anomalous behavior, like data being collected or sent somewhere unexpected.
They help enforce policies that define how you want scripts to behave on your websites.
They block and alert you to any activity that goes against the policies you have defined.
They monitor any changes to normal functionality, using shifts to expected patterns to quickly flag suspicious activity.
Why is client-side protection important?
Client-side protection is important namely because it serves the specific purpose of protecting users’ experience once content has reached their browser. The majority of cybersecurity practices focus on securing infrastructure, code and so on, which all happens before a user interacts with a website’s content.
More specifically, client-side protection is important because it:
Helps prevent the theft of sensitive data (think form fills)
Detects any malicious activity in the browser, as it happens ( a capability other security tools lack)
Evaluates third-party scripts, ensuring they aren’t introducing risk into your ecosystem
Keeps your users (and customers) secure, making it more likely they’ll do business with you.
Who needs client-side protection?
Short answer, anyone who does business online. Any organization who relies on their website to do business should consider implementing client-side protection practices and tooling.
The need for client-side protection is especially important for organizations who:
Process payments or handle any types of sensitive personal data
Have strict regulatory or compliance requirements
Rely on JavaScript and third-party integrations
Have very personalized or dynamic user experiences
Organizations in these industries should place special emphasis on implementing a client-side protection strategy:
E-commerce and retail who use highly dynamic content like pricing, inventory and customized user experiences
Financial services who handle highly sensitive data and information and fall under PCI DSS requirements.
Healthcare who handles highly sensitive data and must meet strict regulations.
Media and high-traffic digital platforms who offer dynamic and changing content.
How does client-side protection help with compliance and regulation requirements?
Broadly, client-side protection helps organizations know what code is running on their site(s), and to demonstrate that they can detect problems, and control them quickly in the face of malicious activity. These are necessary capabilities when it comes to regulations and compliance.
Client-side protection solutions help satisfy several critical regulatory concerns:
PCI DSSClient-side protection is critical to satisfying PCI DSS v4.0 requirements - it helps bring visibility and control to payment pages on a website. It enables organizations to maintain an accurate inventory of all scripts running in the browser, and ensure proper authorizations are in place. It can detect any suspicious behavior and help stop any attempts to intercept or infiltrate sensitive data, in real time.
GDPR / CCPA
Client-side protection helps organizations satisfy data privacy obligations under GDPR and CCPA- it helps ensure that all personal information collected in the browser is handled transparently and securely. It also grants visibility into how scripts interact with user data, so orgs can prevent any unauthorized or unwanted data collection and sharing.
SOC 2
Client-side protection helps organizations demonstrate that they have control over application environments. With enhanced monitoring and detection capabilities and real-time insight into script behavior and potential threats, client-side protection helps enforce policies that govern how data is accessed and transmitted. This all supports key requirements of SOC 2 including security, availability, and confidentiality.
What are the top client-side protection security risks?
OWASP Top 10 provides detailed guidance and information on cybersecurity risks. In fact, they have an entire list focused specifically on client-side protection risks that organizations should focus on.
OWASP notes that “ browser side applications are frequently a complex combination of custom HTML, CSS, and JavaScript, leveraging numerous third-party libraries that are both served by the custom application, and frequently integrated with third-party services that supply their own custom code and libraries into the same client-side application. All this runs in the customer’s browser in the wild, rather than on application owner controlled, managed, and secured servers.” This results in many risks for the client side, necessitating a comprehensive security strategy.
The following is OWASP’s list and exact descriptions for top client-side security risks:
1. Broken client-side access control
Insufficient control of JavaScript access to client-side assets (data and code), exfiltration of sensitive data, or manipulation of the DOM for malicious purposes (to access those assets). Just like OWASP Top 10: A01-2021 - Broken Access Control, but focused on client-side code.
2. DOM-based XSS
Vulnerabilities that permit XSS attacks through DOM manipulation or abuse.
3. Sensitive data leakage
Inability to detect/prevent digital trackers and pixels across a web property to ensure national and international privacy laws are complied with.
4. Vulnerable and outdated components
Lack of detection and updates to JavaScript libraries that are outdated or contain known vulnerabilities. Just like OWASP Top 10: A06-2021 - Vulnerable and Outdated Components, but focused on client-side libraries.
5. Lack of third-party origin control
Origin control allows the restriction of certain web assets or resources by comparing the origin of the resource to the origin of the third-party library. Without leveraging such controls, supply chain risk increases due to inclusion of unknown or uncontrolled third-party code that has access to data in the site’s origin.
6. JavaScript drift
Inability to detect changes at the asset and code level of JavaScript used client-side. This includes the inability to detect behavioral changes of this code to determine if the changes are potentially malicious in nature. This is particularly important for third-party libraries.
7. Sensitive data stored client-side
Storage of sensitive data like passwords, crypto secrets, API tokens, or PII data in persistent client-side storage like LocalStorage, browser cache, or transient storage like JavaScript variables in a data layer.
8. Client-side security logging and monitoring failures
Insufficient monitoring and detection of client-side changes and data accesses, particularly failures and errors, in real-time as each page is assembled and executed using both first-party and third-party code. Just like OWASP Top 10: A09-2021 - Security Logging and Monitoring Failures, but focused on client-side behavior.
9. Not using standard browser security controls
Not using common standards-based security controls built into browsers such as iframe sandboxes, and security headers like Content Security Policy (CSP), subresource integrity, and many other standard security features.
10. Including proprietary information on the client-side
Presence of sensitive business logic, developer comments, proprietary algorithms, or system information contained in client-side code or stored data.
How Fastly can help
Fastly Client-Side Protection provides you with the ability to inventory and control the resources (e.g., scripts, images, and fonts) that load on an end user’s browser from defined areas of your web applications by building and enforcing content security policies (policies). In addition, you can provide a justification as to why each client-side script is or isn’t allowed.
These capabilities help you guard against cross-site scripting attacks and enable you to maintain compliance with Payment Card Industry Data Security Standard (PCI DSS)