Skip to main content
The Page Shield API provides client-side security monitoring to detect and alert on malicious scripts, connections, and cookies loaded on your website. It helps protect against supply chain attacks, Magecart attacks, and other client-side threats.

Initialize the Page Shield resource

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env.CLOUDFLARE_API_TOKEN,
});

const pageShield = client.pageShield;

Settings management

Get settings

Retrieve the current Page Shield settings for a zone. 
const settings = await client.pageShield.get({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
});

Update settings

Update Page Shield settings for a zone. 
const settings = await client.pageShield.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  enabled: true,
  use_cloudflare_reporting_endpoint: true,
  use_connection_url_path: false,
});
zone_id
string
required
Zone identifier
enabled
boolean
Enable or disable Page Shield
use_cloudflare_reporting_endpoint
boolean
When true, CSP reports will be sent to https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report
use_connection_url_path
boolean
When true, the paths associated with connection URLs will also be analyzed

Scripts

Monitor and analyze JavaScript files loaded on your website.

List scripts

List all scripts detected by Page Shield. 
// Automatically fetches more pages as needed
for await (const script of client.pageShield.scripts.list({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
})) {
  console.log(script.url, script.host);
}
direction
string
Direction to order scripts. Options: asc, desc
exclude_cdn_cgi
boolean
Exclude scripts from cdn-cgi path
exclude_duplicates
boolean
Exclude duplicate scripts
exclude_urls
string
Comma-separated list of URL patterns to exclude
export
string
Export format. Options: csv
hosts
string
Comma-separated list of hosts to filter by
order_by
string
Field to order by. Options: first_seen_at, last_seen_at
page
string
Page number
page_url
string
Filter by page URL where script was loaded
per_page
number
Number of items per page
prioritize_malicious
boolean
Prioritize malicious scripts in results
status
string
Filter by script status. Options: active, inactive, all
urls
string
Comma-separated list of script URLs to filter by

Get script

Retrieve detailed information about a specific script. 
const script = await client.pageShield.scripts.get(
  '023e105f4ecef8ad9ca31a8372d0c353',
  { zone_id: '023e105f4ecef8ad9ca31a8372d0c353' }
);

Connections

Monitor outbound connections made by scripts on your website.

List connections

List all connections detected by Page Shield. 
// Automatically fetches more pages as needed
for await (const connection of client.pageShield.connections.list({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
})) {
  console.log(connection.url, connection.host);
}

Get connection

Retrieve detailed information about a specific connection. 
const connection = await client.pageShield.connections.get(
  'connection_id',
  { zone_id: '023e105f4ecef8ad9ca31a8372d0c353' }
);

Cookies

Monitor cookies set by scripts on your website.

List cookies

List all cookies detected by Page Shield. 
// Automatically fetches more pages as needed
for await (const cookie of client.pageShield.cookies.list({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
})) {
  console.log(cookie.name, cookie.domain);
}
Retrieve detailed information about a specific cookie. 
const cookie = await client.pageShield.cookies.get(
  'cookie_id',
  { zone_id: '023e105f4ecef8ad9ca31a8372d0c353' }
);

Policies

Manage Content Security Policy (CSP) configurations for Page Shield.

Create policy

Create a new Page Shield policy. 
const policy = await client.pageShield.policies.create({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  action: 'allow',
  description: 'Allow scripts from trusted CDN',
  expression: 'http.request.uri.path eq "/checkout"',
  value: 'https://cdn.example.com',
});

Update policy

Update an existing Page Shield policy. 
const policy = await client.pageShield.policies.update(
  'policy_id',
  {
    zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
    action: 'log',
    description: 'Updated policy description',
  }
);

List policies

List all Page Shield policies for a zone. 
// Automatically fetches more pages as needed
for await (const policy of client.pageShield.policies.list({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
})) {
  console.log(policy.id, policy.description);
}

Get policy

Retrieve a specific Page Shield policy. 
const policy = await client.pageShield.policies.get(
  'policy_id',
  { zone_id: '023e105f4ecef8ad9ca31a8372d0c353' }
);

Delete policy

Delete a Page Shield policy. 
await client.pageShield.policies.delete(
  'policy_id',
  { zone_id: '023e105f4ecef8ad9ca31a8372d0c353' }
);

Response types

Script

Represents a JavaScript file detected on your website.
id
string
required
Script identifier
url
string
required
Script URL
host
string
required
Hostname where the script is hosted
added_at
string
required
When the script was added to Page Shield
first_seen_at
string
required
When the script was first detected
last_seen_at
string
required
When the script was last seen
url_contains_cdn_cgi_path
boolean
required
Whether the URL contains cdn-cgi path
hash
string
The computed hash of the analyzed script
dataflow_score
number
The dataflow score of the JavaScript content (0-100)
cryptomining_score
number
The cryptomining score of the JavaScript content (0-100)
integrity_score
number
The integrity score of the JavaScript content (0-100)
domain_reported_malicious
boolean
Whether the domain is reported as malicious
fetched_at
string
The timestamp of when the script was last fetched
first_page_url
string
The first page URL where the script was detected

Connection

Represents an outbound connection made by scripts.
id
string
required
Connection identifier
url
string
required
Connection URL
host
string
required
Hostname of the connection
added_at
string
required
When the connection was added to Page Shield
first_seen_at
string
required
When the connection was first detected
last_seen_at
string
required
When the connection was last seen

Setting

Page Shield configuration settings.
enabled
boolean
required
Whether Page Shield is enabled
updated_at
string
required
When Page Shield was last updated
use_cloudflare_reporting_endpoint
boolean
required
Whether to use Cloudflare’s CSP reporting endpoint
use_connection_url_path
boolean
required
Whether to analyze connection URL paths

Build docs developers (and LLMs) love

Get started for freeTalk to us