WAF & Page Shield Setup Guide

Step-by-step instructions for enabling Page Shield, reviewing detected scripts, and creating WAF custom rules to block malicious client-side scripts.

1

Enable Page Shield

Page Shield is available on Business and Enterprise plans (script monitoring on Pro+).

  1. Log in to the Cloudflare Dashboard
  2. Select your zone (agreatorganization.com)
  3. Navigate to Security → Page Shield
  4. Toggle Page Shield to On
  5. Cloudflare immediately begins monitoring all JavaScript resources loaded by real visitors

Page Shield uses a lightweight JavaScript beacon injected via Cloudflare's edge to observe script loading in real browsers. No code changes are needed on your origin.

Dashboard path
Cloudflare Dashboard
  └── agreatorganization.com
       └── Security
            └── Page Shield
                 ├── Script Monitor  ← see all detected scripts
                 ├── Policies        ← block rules live here
                 └── Alerts          ← notification config
2

Review Detected Scripts

After enabling Page Shield, allow 24–48 hours for it to build a comprehensive baseline of all scripts loading across your site.

In the Script Monitor tab you'll see:

Script URL First Seen Pages Status Threat
cdn.trusted-vendor.example/analytics.js 30 days ago All pages Approved None
cdn.jquery.example/jquery-3.7.js 30 days ago All pages Approved None
cdn.evil-analytics.example/tracker.js 2 min ago /checkout New Under review
/js/skimmer.js 1 min ago /checkout Malicious Magecart
3

Create a Page Shield Policy (Block Rule)

Policies let you block scripts that Page Shield flags as malicious, or proactively block unknown scripts on sensitive pages.

Option A: Block Specific Malicious Scripts

Policy Name:  Block MagicCart Skimmers
Action:       Block
Match:        Script URL contains "skimmer"
              OR Script flagged as "Malicious"
Scope:        All pages matching /checkout/*
              and /payment/*
  1. Go to Page Shield → Policies
  2. Click Create Policy
  3. Set action to Block
  4. Add conditions (script URL pattern, malicious flag)
  5. Scope to relevant page paths
  6. Save & deploy

Option B: Allow-list Only (Strict Mode)

Policy Name:  Checkout Allow-list
Action:       Block
Match:        Script URL NOT in:
              - cdn.trusted-vendor.example/*
              - cdn.jquery.example/*
              - self (same origin)
Scope:        /checkout/*, /payment/*
  1. Review baseline scripts in Script Monitor
  2. Create policy with negative match
  3. List all approved script origins
  4. Any script NOT in the list → blocked
  5. Most secure option for sensitive pages
4

Configure Alerts

Set up notifications so your team knows immediately when Page Shield detects something.

  1. Go to Notifications → Create in the Cloudflare dashboard
  2. Select event type:
    • New Scripts: fires when an unknown script URL first appears
    • Code Changed: fires when a known script's hash changes
    • Malicious Code: fires when Page Shield's classifier flags a script
    • New Script exceeds JS variables: fires when a script exceeds the configured thresholds
  3. Choose delivery: Email, Webhook (Slack/Teams), or PagerDuty
  4. Optionally filter by hostname or page path
  5. Save — notifications are active immediately
5

Optional: Complementary WAF Custom Rules

While Page Shield handles client-side script monitoring and blocking, you can add WAF custom rules as an extra layer of defense at the edge.

Example: Block requests to known skimmer endpoints

// WAF Custom Rule — Expression
(http.request.uri.path contains "/steal"
 or http.request.uri.path contains "/exfil"
 or http.request.uri.path contains "/skimmer")
and http.request.method eq "POST"

// Action
Block

Example: Log when inline scripts are unusually large

// WAF Custom Rule — CSP Report Analysis
(http.request.uri.path eq "/csp-report"
 and http.request.method eq "POST")

// Action
Log
// Use with CSP report-uri to capture
// and analyze CSP violations at the edge

🔌 API & Terraform

All Page Shield configuration can be managed programmatically.

List detected scripts (API)

curl -X GET \
  "https://api.cloudflare.com/client/v4/zones/{zone_id}/page_shield/scripts" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json"

Create policy (API)

curl -X POST \
  "https://api.cloudflare.com/client/v4/zones/{zone_id}/page_shield/policies" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "description": "Block MagicCart skimmers",
    "action": "block",
    "expression": "script.url contains \"skimmer\"",
    "enabled": true
  }'