Skip to content
All posts
Industry InsightsSecurity

Cloudflare just opened client-side security to everyone: Why eCommerce teams should care and what it doesn't cover

Dan Garner··Updated 15 July 2026
Cloudflare just opened client-side security to everyone: Why eCommerce teams should care and what it doesn't cover

On March 30, 2026, Cloudflare announced a significant change: its advanced Client-Side Security tools, previously gated behind enterprise plans, are now available to all users. At the same time, Cloudflare made domain-based threat intelligence free for everyone on the base tier.

For eCommerce merchants, this is a meaningful step forward in accessible security. But it also highlights a gap that many teams don’t realise exists until it’s too late: security monitoring and experience monitoring are two different things, and both matter.

What Cloudflare actually announced

The update has two parts:

1. Client-Side Security Advanced (formerly the Page Shield add-on) is now available to self-serve customers. This tier provides:

  • AI-assisted malicious script detection using a two-stage cascading system: a Graph Neural Network (GNN) that analyses the structural patterns of JavaScript code, followed by an LLM that provides a “second opinion” to filter out false positives. According to Cloudflare, this combination reduced false positives by up to 200x compared to the GNN alone, bringing the false positive rate for unique scripts from 1.39% down to 0.007%
  • Code change monitoring that continuously tracks when third-party scripts are modified, essential for meeting PCI DSS v4 requirements 6.4.3 and 11.6.1
  • Proactive blocking rules that enforce positive content security policies through continuous monitoring

In plain terms: Cloudflare scans every script running on your pages (3.5 billion scripts per day at their scale) and flags ones that behave like malicious code, even when that code has been obfuscated to look legitimate. The new AI layer makes this detection far more accurate, reducing the false alarms that cause security fatigue.

2. Domain-based threat intelligence is now free for all Cloudflare Client-Side Security customers. This gives site owners a direct signal when JavaScript or connections on their pages are associated with known malicious domains, without needing an enterprise contract.

Cloudflare noted that in 2025, they saw many non-enterprise customers, particularly those on Magento, affected by client-side attacks that persisted for days or weeks after being publicised. Small and medium merchants often lack the resources to maintain high security standards on their own. This move directly addresses that gap.

The skimmer problem this addresses

Client-side skimming attacks have a disquieting property: they steal data without breaking anything. The page loads normally. Checkout completes. No error appears anywhere in the merchant’s monitoring stack.

A new breed of skimmer that uses WebRTC data channels to exfiltrate stolen payment data, bypassing Content Security Policy (CSP) entirely. CSP is one of the primary browser-level defences against injected scripts. WebRTC peer-to-peer connections simply fall outside its scope.

CSP (Content Security Policy) is a browser security feature that restricts which external scripts and connections a page is allowed to make. It’s the standard first line of defence against injected malicious code. WebRTC data channels operate on a different connection layer entirely, which is why the skimmer bypasses it.

Cloudflare’s cascading AI detection addresses exactly this class of attack: sophisticated, obfuscated scripts that evade signature-based detection but reveal their intent through structural and semantic analysis. For merchants on Magento, WooCommerce, or any platform that loads third-party scripts at checkout, this is a meaningful defensive layer.

Security monitoring and experience monitoring are different problems

Here is the nuance that matters for eCommerce teams: Cloudflare’s client-side security is built to detect threats. It will catch a skimmer injected into your checkout page. What it won’t catch is the non-malicious JavaScript error that silently breaks your add-to-cart button for Safari users, or the performance regression introduced by a theme update that pushes your LCP past 3 seconds on mobile.

Both categories cost revenue. They just cost it in different ways.

According to the latest Baymard Institute research, the global cart abandonment rate hit 70.22% in 2026. A significant portion of that abandonment stems from technical friction: checkout pages that throw JavaScript errors, payment forms that fail to submit, broken discount fields, or pages that simply take too long to render. The May 2026 CrUX dataset from Google shows that only 55.9% of web origins pass all three Core Web Vitals. For eCommerce sites carrying heavier JavaScript payloads and more third-party integrations, the pass rate is often lower.

Security tools detect attacks. APM tools track server response times. Neither tells you what real customers are actually experiencing on your live store right now.

Why the timing matters

Several platform changes are creating elevated risk for client-side issues right now, separate from security threats entirely:

  1. Shopify's July 2026 platform changes are rolling out at pace. The developer changelog shows breaking changes in POS UI extensions (2026-07), Customer Account API deprecations scheduled for 2026-10, and new identity verification requirements for Partners. Each of these changes has the potential to introduce unexpected client-side issues if apps and themes don't adapt smoothly.

  2. Magento Open Source 2.4.9, released in May, shipped with over 500 bug fixes and dropped support for older PHP versions. Stores that have upgraded, or are in the process of upgrading, are at elevated risk of subtle regressions that only manifest in production under real traffic conditions.

  3. Cross-border complexity is increasing. Shopify's new duties-inclusive pricing for Managed Markets (July 10) eliminates surprise fees at checkout for international buyers, which should reduce abandonment. But the rollout itself introduces new price calculation logic that needs monitoring to ensure it renders correctly across all markets and currencies.

What proactive monitoring looks like

The stores that win in this environment aren't the ones with the most tools; they're the ones with the right visibility. That means:

  • Real user monitoring that captures what actual customers experience, not just synthetic tests from a single location
  • Error detection that catches JavaScript exceptions in production before they reach thousands of customers
  • Revenue impact quantification that tells you not just what's broken, but how much it's costing you, so you can prioritise fixes based on business impact
  • Continuous Core Web Vitals tracking from real sessions, not periodic Lighthouse audits that miss the peaks and troughs of real traffic patterns

This is what AuditIQ is built to provide. While Cloudflare Page Shield protects against malicious threats at the CDN level, AuditIQ eCommerce monitoring tool tracks the real user experience on your live eCommerce site, catching JavaScript errors, tracking Core Web Vitals from actual customer sessions, detecting broken checkout flows, and quantifying the revenue impact of every issue it finds.

A skimmer that steals a customer’s credit card is a catastrophic event. A broken checkout button that turns away fifty customers a day is a slow bleed. Both matter. The difference is that one makes headlines, and the other only shows up in your revenue reports if you’re measuring it at all.

Enable Cloudflare’s Client-Side Security with AuditIQ and find out what your customers are actually experiencing today!

About the author

Dan Garner writes from AuditIQ's experience monitoring eCommerce performance, SEO, security, and reliability issues across Magento, Shopify, WooCommerce, and Adobe Commerce stores.

Cloudflare just opened client-side security to ever...