Modern web apps do not run on your code alone anymore. They run on analytics tags, payment widgets, chat tools, marketing pixels, and a long list of third party JavaScript. That flexibility is powerful, but it also creates a new class of risk. Client side attacks such as Magecart style skimming specifically target these external resources, often without ever touching your servers.
PCI DSS 4.0 recognizes this shift.
One of the newest requirements focuses on visibility and control over scripts and iframes that load in a user’s browser, especially on payment pages. Organizations must now know what external code is executing, verify it is authorized, and detect when something changes.
Our best-in-class Check Point WAF now includes Automatic Script and IFrame Discovery and Authorization to help teams meet these requirements without manual inventory work.
What the feature does
The WAF automatically discovers and inventories every external JavaScript and iframe resource loaded by protected applications. Instead of guessing what your site depends on, you get a real, continuously updated view of what actually executes in the browser.
From there, security teams can:
- Identify all third party scripts and iframe sources
• Detect newly introduced or modified external resources
• Prevent unauthorized scripts from executing
• Enforce an approved trust list of external domains
• Maintain ongoing visibility required by PCI DSS 4.0
In simple terms, the WAF moves control to where the risk now lives: the client side.
Why this matters
Historically, WAFs focused on protecting the server from malicious requests. But many modern breaches do not attack the server at all. Attackers inject a small script through a compromised third party provider, a tag manager, or a supply chain dependency. The page loads normally, the checkout works, and sensitive data is silently exfiltrated from the user’s browser.
Without visibility into browser executed resources, these attacks can persist for months.
Automatic Script and IFrame Authorization allows organizations to create a baseline of approved sources and immediately flag or block anything new or unauthorized. This significantly reduces exposure to client side data theft while also simplifying PCI compliance audits.
Compliance without operational overhead
PCI DSS 4.0 requires continuous monitoring and documented authorization of scripts on payment pages. Doing this manually is nearly impossible for modern web applications that change frequently and rely on multiple external services.
Check Point WAF automates the discovery, monitoring, and enforcement process so teams can demonstrate:
- Visibility into all external browser executed code
• Control over which sources are allowed
• Detection of unauthorized changes
Security teams gain protection. Compliance teams gain evidence.
The outcome
With Automatic Script and IFrame Discovery and Authorization, organizations can reduce the risk of client side attacks while meeting PCI DSS 4.0 visibility and control requirements, all within the existing WAF security layer.
The web application threat surface moved to the browser. Now your protection has too.
