Fastly Client-Side Protection

Fastly Client-Side Protection provides you with the ability to inventory and control the resources (e.g., scripts, images, and fonts) that load on an end user’s browser from defined areas of your web applications by building and enforcing content security policies. When a resource violates your content security policy, the end user’s browser blocks or logs the resource per your selected protection mode. Based on policy violation reports, you can adjust your content security policies as needed. In addition, you can provide a justification as to why each client-side script is or isn’t allowed. These capabilities help you guard against cross-site scripting attacks (e.g., Magecart attack) and enable you to maintain compliance with Payment Card Industry Data Security Standard (PCI DSS) 4.0.1 - Sections 6.4.3 and 11.6.1.

Prerequisites

To purchase Fastly Client-Side Protection, you must purchase Fastly's Next-Gen WAF.

Limitations and considerations

Keep in mind the following limitations and considerations for Fastly Client-Side Protection:

• Fastly Client-Side Protection is reliant on browser support for HTTP Content-Security-Policy response headers. Older browsers may not support all features.
• The Next-Gen WAF inserts the HTTP Content-Security-Policy-Report-Only response header into a sample of responses. This header triggers the inventory process for Fastly Client-Side Protection.
• Depending on whether Client-Side Protection is in blocking or logging mode, the Next-Gen WAF adds either the HTTP Content-Security-Policy or the HTTP Content-Security-Policy-Report-Only response header to all responses that pass through the WAF. These headers deliver your content security policy.
• If your web application has a broken or insecure connection or certificate, the end user’s browser will not forward policy violation reports to Fastly.
• When an object evaluated by the Next-Gen WAF is cached, the content security policy attached to the object is also cached. Both the object and content security policy are served together for as long as the object remains in the cache. If you update the content security policy, cached objects won't reflect the updated content security policy until the object is removed from cache and passes through the WAF again.
• Even with SHA256 hashing, inline scripts can pose a security risk. While compliance with PCI DSS is met, this doesn’t guarantee full protection.
• We store policy violation reports and scripts that were observed during the inventory process for 90 days. When we fail to re-inventory a script for 90 days, we stop storing the script.
• Fastly Client-Side Protection can only be accessed using the Fastly control panel.
• Fastly Client-Side Protection uses Manifest v3.

Billing

Fastly Client-Side Protection is billed based on the number of Pages that are activated under the Websites page for your account each month. As indicated on your service order, your account includes a set number of activated Pages and each additional page incurs a charge.

For example, say you've purchased five Pages as part of your services and that you have five websites on which you wish to use those pages. Each website requires one Page and therefore consumes one Page each from the five you have purchased. During the month, the first five Pages you activate incur no additional charges on your account. Any additional Pages activated throughout the month, however, incur additional month-to-month fees. If an additional Page is activated but deleted before the months' end, it incurs charges only during the month activated and not subsequent months.

Security products note