Get started
To enable client-side resource monitoring:
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Page Shield.
- Select Enable Page Shield.
If you do not have access to Page Shield in the Cloudflare dashboard, check if your user has one of the necessary roles.
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Security > Settings and filter by Client-side abuse.
- Turn on Continuous script monitoring.
If you do not have access to resource monitoring in the Cloudflare dashboard, check if your user has one of the necessary roles.
When you enable client-side resource monitoring, it may take a while to get the list of detected scripts in your domain.
To review the scripts detected by Cloudflare:
-
Go to the client-side resources page:
- Old dashboard: Go to Security > Page Shield.
- New security dashboard: Go to Security > Web assets > Client-side resources tab.
-
Review the list of detected scripts, checking for any unknown or unexpected scripts.
Depending on your plan, Cloudflare will also:- Inform you if a script is considered malicious.
- Show the details about each detected script.
Depending on your plan, you may be able to also review the connections made by scripts in your domain's pages and check them for malicious activity.
Once you have activated Page Shield's client-side resource monitoring, you can set up one or more alerts informing you of relevant client-side changes on your zones. The available alert types depend on your Cloudflare plan.
To configure an alert:
- Go to Account Home > Notifications.
- Choose Add and then select Page Shield in the Product dropdown.
- Select an alert type.
- Enter the notification name and description.
- (Optional) If you are an Enterprise customer with a paid add-on, you can define the zones for which you want to filter alerts in Policies of these zones. This option requires that you define allow policies in the selected zones.
- Select one or more notification destinations (notification email, webhooks, and connected notification services).
- Select Create.
To edit, delete, or disable an alert, go to your account notifications ↗.
Policies — called content security rules in the new security dashboard — define allowed resources on your websites. Create policies to implement a positive security model1.
When you create a policy with the Log action, Cloudflare logs any resources not covered by the policy, without blocking any resources. Use this action to validate a new policy before deploying it.
-
Log in to the Cloudflare dashboard ↗ and select your account and domain.
-
Go to Security > Page Shield > Policies.
-
Select Create policy.
-
Enter a descriptive name for the rule in Description.
-
Under If incoming requests match, define the policy scope. You can use the Expression Builder (specifying one or more values for Field, Operator, and Value) or manually enter an expression using the Expression Editor. For more information, refer to Edit expressions in the dashboard.
-
Under Allow these directives, select the desired CSP directives for the policy by enabling one or more checkboxes.
-
To manually enter an allowed source, select Add source.
-
To refresh the displayed sources based on Page Shield's detected resources, select Refresh suggestions.
-
- Under Then take action, select Log.
-
To save and deploy your rule, select Deploy.
-
Log in to the Cloudflare dashboard ↗ and select your account and domain.
-
Go to Security > Security rules.
-
Select Create > Content security rules.
-
Enter a descriptive name for the rule in Description.
-
Under If incoming requests match, define the scope of the content security rule (or policy). You can use the Expression Builder (specifying one or more values for Field, Operator, and Value) or manually enter an expression using the Expression Editor. For more information, refer to Edit expressions in the dashboard.
-
Under Allow these directives, select the desired CSP directives for the content security rule by enabling one or more checkboxes.
-
To manually enter an allowed source, select Add source.
-
To refresh the displayed sources based on detected resources, select Refresh suggestions.
-
- Under Then take action, select Log.
-
To save and deploy your rule, select Deploy.
Resources not covered by the policy you created will be reported as policy violations. After some time, review the list of policy violations to make sure the policy is correct.
To view policy violation information:
- Old dashboard: Go to Security > Page Shield > Policies.
- New security dashboard: Go to Security > Security rules, and filter by Content security rules.
The displayed information includes the following:
- A sparkline next to the policy/rule name, showing violations in the past seven days.
- For policies with associated violations, an expandable details section for each policy, with the top resources present in violation events and a sparkline per top resource.
Update the policy if needed.
Once you have verified that your policy is correct, change the policy action from Log to Allow.
When you use the Allow action, Cloudflare starts blocking any resources not explicitly allowed by the policy.
-
A positive security model is one that defines what is allowed and rejects everything else. In contrast, a negative security model defines what will be rejected and accepts the rest. ↩
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark