Monitoring your inventory

An inventory is a collection of the client-side scripts and security-impacting response headers that Fastly observes for a Page. Each inventory is associated with a single Page. Reviewing changes to your inventory can help you identify security issues that should be investigated.

Prerequisites

Before Fastly creates an inventory for your Page, you must set up Client-Side Protection by creating at least one website and Page.

Reviewing inventoried scripts

For each observed script in the inventory, you can add an authorization status to help keep track of which scripts you've reviewed for legitimacy. If a script shouldn't be loading, investigate the issue and take action accordingly.

To add an authorization status, complete the following steps:

  1. Log in to the Fastly control panel.
  2. Go to Security > Client-Side Protection > Inventory.
  3. From the Pages bar, click the menu Menu icon to the right of the Page name and select a Page.
  4. Click the pencil Pencil icon to the right of the script you want to add an authorization status for.
  5. From the Authorized menu, leave Yes selected to authorize the script. Select No to not authorize the script.
  6. In the Justification field, enter the reason the script is authorized or not authorized.
  7. Click Update.

When Fastly detects changes to a script that has an authorization status, Fastly resets the authorization status.

Monitoring response headers

Fastly logs the following security-impacting response headers for all responses that have the Content-Security-Policy-Report-Only response header:

  • Access-Control-Allow-Origin
  • Content-Security-Policy
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • Permissions-Policy
  • Referrer-Policy
  • Strict-Transport-Security
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

Every three days, Fastly sends you a list of the response headers that changed to the email address you defined on the associated Page. The changes are grouped into 60-minute periods. If you think that a response header value is dangerous, investigate the issue and take action accordingly.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.