1. Website Planet
  2. >
  3. Blog
  4. >
  5. Simon Wijckmans on How c/side Brings Transparency and Security to Third-Party Website Scripts – An Interview with Website Planet
Simon Wijckmans on How c/side Brings Transparency and Security to Third-Party Website Scripts – An Interview with Website Planet

Simon Wijckmans on How c/side Brings Transparency and Security to Third-Party Website Scripts – An Interview with Website Planet

Luka Dragovic Written by: Luka Dragovic
In today’s web ecosystem, third-party scripts are everywhere—powering everything from analytics to payment processing.

Yet, many businesses lack visibility into what these scripts actually do in their users’ browsers, making them a prime target for cyberattacks. In an interview with Website Planet, Simon Wijckmans, founder of c/side, shares how his experience at Cloudflare led him to develop a solution that offers full transparency and control.

He discusses how c/side protects websites from third-party script vulnerabilities, enhances security compliance, and even improves website performance.

What led you to start c/side, and what problems does it solve?

The journey to starting c/side in 2024 began at Cloudflare, where I managed their client-side security product. I noticed the problem we were solving was not getting the attention it deserved and needed. Third-party dependencies became an increasingly dangerous subject. and how they execute in the browser was a blind spot.

Most websites today rely on 30-40 third-party scripts that are used for analytics, payments, chatbots, marketing tools, etc. Each of these scripts runs on your website visitors’ browsers, yet you, as the web dev or admin, have minimal visibility into what that code actually does. Even worse, any of your server-side dependencies have the ability to inject a client-side script.

The problem became clear to me: Developers were carefully crafting their own code while giving third parties essentially free rein. When these scripts are compromised—as we saw with the Polyfill attack affecting hundreds of thousands of websites last year—the website owner bears the responsibility.

After working at Cloudflare (as well as Microsoft and Vercel), I realized businesses needed a specialized tool focused solely on securing these dependencies. Most solutions were afterthoughts from larger security vendors, lacking the depth to solve this specific problem.

c/side gives web developers and website owners complete visibility and control over third-party scripts running on their websites. We help our customers protect website user data and maintain website performance without them needing to become security experts themselves.

How does c/side address the security challenges of third-party website scripts? How is it different from other solutions?

c/side takes a fundamentally different approach to securing dependencies. We use a proxy method that allows our platform to analyze 100% of the payload code, 100% of the time, in real time, and store it for future analysis and forensics.

The challenge is their dynamic nature. Each time a website requests a script, the web server can respond with a different code. Attackers use this to target specific site visitors, IP addresses, or browsing sessions with malicious code while sending “clean” code to security tools. Traditional web security approaches like threat feeds, content security policies, behavioral detection, or web crawlers cannot effectively address this rapidly growing challenge.

Our approach routes third-party scripts through our proxy, allowing us to inspect the full payload before it reaches your visitor’s browser. We analyze the complete code—not just the domain it’s coming from—using a combination of traditional checking methods and advanced techniques, including AI analysis of the code itself.

If we detect potentially malicious activity, we can block the code from executing altogether. For example, if a script suddenly connects to a newly registered domain in a suspicious location, we can prevent that code from ever loading. The script gets locked to the previous hash, and the website functions normally until the problem is resolved.

What differentiates us even more is our historical record of script behavior. Should something slip through, we have a complete audit trail to analyze what happened and improve our detection. Most other web security tools cannot provide this level of transparency and security because they only sample traffic or check sources without examining the actual code.

How does c/side help website performance?

Website performance is, of course, a top priority for businesses. Normally, adding security through a proxy would create concerns about added latency, but we’ve engineered c/side to actually improve performance in most cases.

We analyze and optimize third-party scripts as they pass through our proxy. These optimizations include improved compression, removal of unnecessary code elements, intelligent caching, and appropriate prefetching. These capabilities offset the minimal delay introduced by our security checks, resulting in faster overall page load times.

Additionally, our dashboard gives insights into which third-party scripts cause performance bottlenecks. You can see exactly how long each script takes to load, how much bandwidth it consumes, etc.

This visibility helps make informed decisions about which third-party services are worth keeping. For many customers, simply identifying and removing redundant scripts has resulted in significant website performance improvements.

Can you share an example of the type of website attack c/side is designed to protect against?

One of the biggest recent examples of third-party script risk was the Polyfill attack, which affected nearly half a million websites. Attackers compromised a widely used open-source service that provided JavaScript polyfills—code snippets that help older browsers support modern features.

Thousands of websites, including multiple large organizations like Hulu and The Guardian, pulled this script in via the original domain, polyfill[.]io. But when the service changed hands, malicious payloads were injected through the existing domain.

This is exactly the kind of supply chain attack c/side is designed to detect and prevent. Because our proxy-based approach analyzes the full payload of every script in real-time, we can identify and block unexpected changes before they reach website visitors. In the case of Polyfill, we could have flagged the malicious modifications immediately, preventing compromised scripts from executing while allowing the site to function normally.

How does c/side’s technology specifically help companies comply with mandates (like PCI DSS 4.0) that have become more strict and prescriptive around web security?

For websites processing payments, PCI DSS compliance is crucial—and version 4.0.1 doubles down with new mandates. Requirements 6.4.3 and 11.6.1 mandate tamper-detection mechanisms for payment pages by March 31, 2025, recognizing that card skimming now primarily happens through compromised browser scripts. Implementing these requirements traditionally involves complex Content Security Policies, manual code reviews, or Subresource Integrity checks (all technical solutions requiring ongoing maintenance that can break functionality).

However, we make compliance straightforward (we now offer a PCI DSS dashboard). Our platform automatically detects and monitors all scripts on payment pages, alerting you to changes or suspicious behavior. This satisfies the monitoring and reporting requirements without specialized security expertise from your team.

Importantly, protecting just the final payment form is not enough. Attackers often compromise scripts on pages that come earlier in the customer journey. c/side monitors your entire site, providing comprehensive protection throughout your visitor’s experience.

For web developers working with e-commerce platforms, we have specific PCI DSS 4.0 integration guides that simplify implementation while ensuring compliance with these new requirements.

As web security threats evolve, what’s next on c/side’s roadmap to enhance protection against new types of web-script-based attacks?

AI is—probably no surprise—going to play a significant role in our product roadmap. Large language models are already capable of reading and understanding JavaScript code with remarkable accuracy. This enhances our ability to analyze script behavior in real-time, going far beyond what traditional threat feeds can accomplish.

The PCI DSS deadline in March 2025 will create greater awareness of client-side security issues. As more companies realize the risks they face, we’re preparing to scale our platform to meet increased demand. We’re developing enhanced reporting features that will make it easier for security teams to incorporate our insights into their existing workflows.

We’re also working on expanding our capabilities to address more aspects of client-side security beyond third-party scripts. While I can’t share too many details about future features, our vision is to provide comprehensive client-side protection that addresses emerging threats as attackers continue to target the browser environment.

Throughout our development, we remain committed to our core unique strength: providing complete visibility into what’s actually happening in website visitors’ browsers. As attack methods evolve, having that transparency will be crucial for staying ahead of threats.

Find out more at: www.cside.dev

Luka Dragovic
Luka Dragovic
Luka, a skilled individual from Serbia, set aside his aspirations of becoming a Web Designer but discovered a fresh passion for content writing. With a keen interest in IT-related domains, encompassing Web Design and UI-UX Design, Luka is now delighted to express his thoughts on his favorite subjects. His proficiency in these areas positions him as an excellent source for those seeking valuable insights into the realm of technology.

Follow our experts on
Rate this Article
5.0 Voted by 3 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Required Field Maximal length of comment is equal 5000 chars Minimal length of comment is equal 50 chars
0 out of minimum 50 characters
Reply
View %s replies
View %s reply
Related posts
Show more related posts
Reply to
0 out of minimum 50 characters
Complete your reply Complete your comment
The name is too short The name is too long The name contains invalid characters
The email is required The email is incorrect
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Thank you for signing up!

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

1 1 1

So happy you liked it!

Share it with your friends!

1 1 1

Or review us on 1

3607556
50
5000
114315360