Client-side security for ecommerce

Know what runs in your customers' browsers.

Inventory the scripts on your storefront, identify merchant-added services, and establish the evidence needed to investigate unexpected changes.

Run a free script scan Preview the report

Passive and read-onlyNo installationPrivate scan evidence

storefrontshield-com-scan.md

StorefrontShield.com script scan

example-store.com

Sanitized report preview

Attention levelREVIEW RECOMMENDED

112scripts observed

4merchant services

3need review

Recognized services

GTGoogle Tag ManagerTag management3 loads

MPMeta PixelAdvertising attribution2 loads

MCMicrosoft ClaritySession analytics2 loads

Evidence generated from a real browser visit

Built for modern storefrontsWorks across hosted platforms and custom ecommerce experiences.

ShopifyWooCommerceMagentoBigCommerceCustom

The visibility gap

Your storefront is a software supply chain.

Pixels, tag managers, apps, widgets, and theme code all execute in the browser. Without an inventory, it is difficult to tell what belongs—or what changed.

Third-party code changes outside your release cycle

A trusted vendor or tag container can introduce new browser-side behavior without a storefront deployment.

Ownership is unclear

Platform code, theme code, and merchant-installed services carry different responsibilities. Most inventories do not separate them.

Evidence is difficult to assemble later

When an assessor or security team asks what was authorized, screenshots and memory are poor substitutes for a dated baseline.

The scan report

Useful to a merchant, not just a security engineer.

Every scan is translated into a readable assessment rather than a dump of network requests.

Ownership-aware inventory

Separates platform-managed code, first-party theme code, and merchant-added services.

Recognizable vendor groups

Repeated script loads are consolidated under services such as Google Tag Manager, Meta Pixel, and store apps.

Clear review queue

Unknown sources are highlighted without automatically labeling them malicious.

Integrity baseline

Script fingerprints create the foundation for detecting additions, removals, and modifications on later scans.

OBSERVED SERVICESLOADS

TAG MANAGERGoogle Tag Manager3

MARKETINGAutomizely / AfterShip5

ANALYTICSMicrosoft Clarity2

PLATFORMShopify storefront runtime18

3 unrecognized sources need a one-time ownership review.

How it works

A controlled browser visit, translated into evidence.

No storefront plugin or code change is required for the free scan.

01 / OBSERVE

Load the public page

An isolated browser visits the authorized storefront URL and observes scripts loaded at runtime, including dynamically injected code.

02 / UNDERSTAND

Classify and fingerprint

Scripts are grouped by vendor and responsibility, with integrity fingerprints recorded where safely available.

03 / REPORT

Deliver a readable assessment

You receive a private report with recognized services, items needing review, limitations, and practical next steps.

PCI DSS support

Supporting evidence for browser-side controls.

StorefrontShield helps merchants assemble script inventory and change evidence relevant to PCI DSS v4.0.1 requirements.

We are not a Qualified Security Assessor and do not certify compliance. Your assessor and organization remain responsible for scope, control design, and attestation.

6.4.3

Payment-page script management

Maintain an inventory, confirm authorization, and document the business or technical justification for in-scope scripts.

11.6.1

Change and tamper detection

Monitor relevant pages and scripts for unauthorized modifications and investigate detected changes.

Security by design

We treat scan evidence as sensitive.

A storefront's vendor footprint can reveal meaningful operational detail, so the system is designed around restrained collection and private storage.

Passive scans

No forms, credentials, checkout actions, or vulnerability exploitation.

Private evidence

Raw inventories, reports, and baselines are kept in non-public storage.

Abuse controls

Turnstile, authorization confirmation, and daily limits protect scanner capacity.

Transparent boundaries

Reports state what was observed, what was not tested, and where human review is required.

Read our security approach →

Questions

What to expect.

The free scan is intentionally narrow: useful evidence without intrusive testing.

Does the scan change anything on my store?

No. It is a passive browser visit to the public URL you submit. It does not install software, submit forms, authenticate, or alter storefront content.

Does it scan every page?

The free scan starts with the submitted page and attempts to discover one product page, one collection or category page, and a public cart page. It does not enter checkout, submit forms, or cover every consent, location, and account state.

Does an unknown script mean malware?

No. “Needs review” means the source is not yet in our deterministic vendor library. It may be a legitimate app that needs a one-time ownership check.

Is this a PCI certification?

No. The report can support script inventory and monitoring work, but it is not an assessment, certification, or substitute for a QSA.

What happens to my scan data?

Reports and inventories are stored privately for delivery, baseline comparison, and service operations. See our Privacy Policy for retention and deletion information.

Free storefront scan

See what your customers' browsers receive.

Submit an authorized public storefront URL. We will observe its client-side scripts and email you a private, plain-English report.

✓Real browser observation

✓Vendor and ownership grouping

✓Unknown-source review list

✓Initial integrity baseline

Read-only · up to four public storefront pages · subject to daily limits