Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    Client-Side Protection

    Client-Side Protection

    The Client-Side Protection (CSP) service provides a unified interface for detecting, preventing, and managing browser-based threats. As modern web applications increasingly rely on JavaScript, APIs, and third-party integrations, the browser environment has become a key attack surface for data theft, code injection, and manipulation.

    This module consolidates protections previously spread across multiple features and addresses the OWASP Top 10 Client-Side Security Risks through layered defense. It monitors third-party scripts and services loaded in your web application, analyzes front-end code to identify all external domains, and assesses each script’s risk level and encryption status.

    Client-Side Protection is currently in Beta, and is only available for Enterprise Plan customers. Please note that if you have CSP enabled and downgrade from Enterprise to Advanced or Standard, CSP will enter a grace period before being removed. For more information about the grace period, please refer to License & Contract

    How it works

    FortiAppSec Cloud enforces client-side security by injecting a lightweight JavaScript collector into eligible HTTP responses. Running directly in the browser, it observes client-side behavior, collects information about scripts, domains, and security headers, and can block unauthorized or high-risk scripts and domains.

    Its architecture consists of three major components:

    • Client JavaScript

      A lightweight script injected into the end user’s browser by FortiAppSec. It observes client-side behavior, collects information about scripts, domains, and security headers, and can block unauthorized or high-risk scripts and domains.

    • CSP Portal (Frontend)

      The management interface integrated into the FortiAppSec Cloud portal. It enables you to:

      • View and manage detected scripts, domains, and security header activity

      • Configure CSP policies

      • Review script, domain, and header changes to support PCI DSS 4.0 requirements

    • Backend Components

      A set of AWS-based backend services that:

      • Process REST API requests

      • Collect and store client-side telemetry

      • Analyze script and domain risk using AI

      • Save data to databases and S3 storage

    Previous
    Next

    Client-Side Protection

    Client-Side Protection

    The Client-Side Protection (CSP) service provides a unified interface for detecting, preventing, and managing browser-based threats. As modern web applications increasingly rely on JavaScript, APIs, and third-party integrations, the browser environment has become a key attack surface for data theft, code injection, and manipulation.

    This module consolidates protections previously spread across multiple features and addresses the OWASP Top 10 Client-Side Security Risks through layered defense. It monitors third-party scripts and services loaded in your web application, analyzes front-end code to identify all external domains, and assesses each script’s risk level and encryption status.

    Client-Side Protection is currently in Beta, and is only available for Enterprise Plan customers. Please note that if you have CSP enabled and downgrade from Enterprise to Advanced or Standard, CSP will enter a grace period before being removed. For more information about the grace period, please refer to License & Contract

    How it works

    FortiAppSec Cloud enforces client-side security by injecting a lightweight JavaScript collector into eligible HTTP responses. Running directly in the browser, it observes client-side behavior, collects information about scripts, domains, and security headers, and can block unauthorized or high-risk scripts and domains.

    Its architecture consists of three major components:

    • Client JavaScript

      A lightweight script injected into the end user’s browser by FortiAppSec. It observes client-side behavior, collects information about scripts, domains, and security headers, and can block unauthorized or high-risk scripts and domains.

    • CSP Portal (Frontend)

      The management interface integrated into the FortiAppSec Cloud portal. It enables you to:

      • View and manage detected scripts, domains, and security header activity

      • Configure CSP policies

      • Review script, domain, and header changes to support PCI DSS 4.0 requirements

    • Backend Components

      A set of AWS-based backend services that:

      • Process REST API requests

      • Collect and store client-side telemetry

      • Analyze script and domain risk using AI

      • Save data to databases and S3 storage

    Previous
    Next