Page Shield Alerts & Notifications

Page Shield continuously monitors all JavaScript resources loaded by visitors. When something changes, you get an alert. Here's what each alert type looks like and when it fires.

New Script Detected Triggered: 2 minutes ago

Unknown script appeared on checkout page

🔔
Script URL: https://cdn.evil-analytics.example/tracker.js
First seen on: pageshield.agreatorganization.com/checkout
Loaded by: https://cdn.trusted-tagmanager.example/gtm.js (dynamic injection)
Page Shield status: New — not in baseline

When this fires: A script URL that Page Shield has never seen before starts loading on your site. This is the first signal that something may have changed — either intentionally (new vendor added) or maliciously (injection).

Code Changed Triggered: 5 minutes ago

trusted-vendor.js content hash changed

⚠️
Script URL: /js/trusted-vendor.js
Previous hash: sha256-a1b2c3d4e5f6...
Current hash: sha256-x9y8z7w6v5u4...
Change detected: New dynamic script injection code added
Page Shield status: Modified — content differs from baseline

When this fires: A known script's content changes (different hash). This catches supply-chain compromises where an attacker modifies a vendor's script without changing the URL.

Malicious Code Detected Triggered: 1 minute ago

Formjacking / data exfiltration patterns found

🚨
Script URL: /js/skimmer.js
Threat type: Magecart / Formjacking
Indicators:
• Hooks form submit events on payment forms
• Reads credit card input fields (card_number, cvv, expiry)
• Attempts to POST data to external endpoint
Affected pages: /checkout, /payment
Action taken: Blocked (block rule ps_block_001 active)

When this fires: Page Shield's ML-powered classifier identifies malicious patterns such as credit card skimming, keylogging, or data exfiltration in a script's code. This is the highest-severity alert.

Suspicious Connection Triggered: 3 minutes ago

Script connecting to known malicious domain

🌐
Script URL: /js/evil-payload.js
Outbound connection: https://evil-collector.example/steal
Domain reputation: Known malicious (threat intelligence match)
Data sent: cookies, localStorage keys, page URL

When this fires: Page Shield detects outbound connections from scripts to domains flagged by Cloudflare's threat intelligence feeds. Even if the script itself wasn't flagged, the connection target raises a red flag.

Notification Channels

Page Shield alerts can be routed to multiple destinations so the right team is notified immediately.

📧
Email
Cloudflare dashboard notifications → email
💬
Webhooks
Slack, Teams, or any HTTP endpoint
📟
PagerDuty
Direct integration for on-call teams
📊
SIEM / Logpush
Push to Splunk, Datadog, S3, etc.

Configuring Alerts

  1. 1. Go to Cloudflare Dashboard → Security → Page Shield → Policies
  2. 2. Under Notifications, click Add Notification
  3. 3. Choose the alert type(s): New Scripts, Code Changed, Malicious Code
  4. 4. Select delivery method (email, webhook, PagerDuty)
  5. 5. Optionally filter by page path or script URL patterns
  6. 6. Save — alerts are active immediately