Client Side Mitigation

What is Client Side Mitigation?

Client Side Mitigation, a.k.a CSM, is a client side JavaScript based blocking functionality, which provides granular control over legitimate scripts so you can block specific actions and enforce compliance with PCI, PII and other privacy regulations. Security teams can block a specific action by stopping first- and third-party scripts from accessing sensitive, personally identifiable information (PII)/PCI information without removing or disabling the script entirely. This lets third-party scripts such as Google analytics continue to receive approved events and data points, while blocking sensitive data fields, like emails, phone numbers, credit card information and SSN. Code Defender continuously monitors all client-side scripts, looking for anomalous activity such as changes in behavior, communication with new network domains, or modifications to the DOM which could leave the website open to compromise and result in theft of personal data. It ensures the security of sensitive customer data, PII and PCI entered on your website and mobile app.

How does CSM work?

In essence, our Client Side Mitigation solution is based on the browser native object extension mechanism and wrapped browser objects. This allows us to observe and prevent (if necessary) actions such as field value access, DOM mutation, network requests and Cookie setter.

Enabling CSM

At the moment, to enable CSM for your domain, please reach out to your customer success manager and they can quickly turn that on for you.
To make sure the enablement will be completed as soon as possible, please make sure the following are in place:
PX sensor snippet is used in a 1st party mode (Read more on how to enable 1st party).
PX sensor snippet is placed in the <head> section of the HTML page.
Although not mandatory, these recommendations will ensure that both detection and mitigation will run under the most ideal conditions.

CSM in CD Portal


Review incident on the portal dashboard and left click to block actions


Confirmation popup the the action has been blocked


View all script actions and status by using our script analyser connection map


View all blocked actions across the domain