Payment pages need a different protection plan than marketing pages. The goal is not just to make first-party JavaScript harder to read; it is also to know which scripts are present, detect unexpected script changes, and keep release evidence for audit review.
What JSO covers
Protect first-party checkout code
Use stronger presets and named configuration sets for checkout, wallet, and payment files while keeping public callbacks and vendor scripts excluded. |
Track third-party scripts
The runtime inventory module records known and unknown script origins, inline script hashes, and scripts injected after page load. |
Emit runtime alerts
Runtime Defense and inventory events can go to Dashboard Monitoring, Slack, Discord, Splunk, Elasticsearch, or a signed webhook collector. |
Keep release evidence
Signed manifests, watermarks, and PCI DSS v4 evidence reports help prove what was protected, when it shipped, and whether files still match the release record. |
Recommended checkout setup
- Put checkout, wallet, subscription, activation, and license files in a named configuration set with a stronger preset.
- Exclude vendor bundles, payment provider SDKs, framework runtime files, and any public callback names those providers call directly.
- Enable watermarks and signed release manifests so every protected file can be traced back to one release.
- Add runtime inventory on payment pages so unknown scripts and post-load script injection create review events.
- Keep a CSV or JSON payment-page script inventory with authorization, owner, business justification, integrity reference, review date, risk, data-access scope, approval ticket, checkout surface, frame context, and frame owner for every script loaded on checkout pages.
- Keep a CSV or JSON payment-page security-header snapshot for checkout pages and frames, including CSP,
script-src, frame-src, HSTS, referrer policy, reporting endpoint, baseline hash, monitor, and alert route.
- Forward runtime events to the monitoring path your team already uses, then keep the generated PCI evidence report with release artifacts.
Example protection split
Use named sets when checkout code needs stricter protection than the rest of the site.
{
"input": "dist",
"output": "dist-protected",
"preset": "balanced",
"namedSets": {
"checkout": {
"match": ["assets/checkout/**", "assets/wallet/**", "assets/payment/**"],
"preset": "maximum",
"options": {
"RuntimeDefenseBeaconUrl": "https://www.javascriptobfuscator.com/v1/runtime/beacon.ashx?token=jso_..."
}
}
},
"exclude": [
"**/*.map",
"**/stripe*.js",
"**/paypal*.js",
"**/vendor*.js",
"**/runtime*.js"
]
}
Keep provider SDKs readable and unmodified unless the provider explicitly supports transformation. Protect your first-party logic around pricing, entitlement, validation, and checkout orchestration.
Inventory and alerting
The third-party inventory module is designed for checkout pages where script drift matters. It tracks script sources and inline hashes, flags unknown origins, and notices scripts injected after the page is already loaded.
const inventory = require("jso-protector/runtime/third-party-inventory");
inventory.attach(window, {
allowedOrigins: [
"https://js.stripe.com",
"https://www.paypal.com",
"https://www.javascriptobfuscator.com"
],
beaconUrl: "https://www.javascriptobfuscator.com/v1/runtime/beacon.ashx?token=jso_..."
});
Use Dashboard Monitoring for first triage: filter the queue to active, high/critical, active high/critical, or one checkout BuildID; mark events as reviewing, resolved, ignored, or reopened as the checkout owner works through them. Export the current view as CSV before an audit or release review, export JSON when support and automation need the same source-free Build IDs, statuses, severities, URLs, timestamps, filter context, status/severity counts, active high-risk count, payload-hash coverage, and date ranges in a machine-readable file, or export one row's Evidence JSON packet when a reviewer asks about a specific checkout event. Route confirmed production events to your long-term monitoring system. If your requirement is a fully managed payment-page security operations console, use a specialized Webpage Integrity platform alongside JSO.
PCI DSS v4 evidence
The npm package can generate a source-free evidence report for controls related to payment-page script management and change detection. Add a payment-page script inventory export when you want the report to summarize authorization, written justification, owner, review-date, domain, integrity-reference, risk, data-access, approval-ticket, checkout-surface, frame-context, and frame-owner coverage. Use checkoutSurface, frameContext, frameOwner, parentPageHref, frameHref, and frameOrigin when the payment path includes a parent page, hosted checkout page, PSP iframe, or embedded payment frame. Add a payment-page security-header snapshot with --payment-page-headers when reviewers ask for CSP/header change evidence; the report summarizes CSP, script-src, frame-src, reporting endpoint, HSTS, referrer policy, baseline-hash match state, monitor, alert route, checkout surface, and frame context without embedding every raw header row. Keep the last approved header snapshot and pass it as --payment-page-headers-baseline so a new HAR export can mark each checkout page or frame as match, mismatch, or missing before release. The header snapshot also includes a source-free security-header Review Assistant Packet for BYO AI or internal reviewers, focused on baseline drift, CSP/reporting, HSTS, and frame-policy owner actions without sharing raw response headers, cookies, source code, payment data, customer data, provider keys, or secrets. Add the Dashboard Monitoring CSV or JSON export when you want the same report to summarize browser-side incident history without including source code or every raw event row; the runtime incident section now adds a source-free response window with timing basis, due time, and overdue state, plus a response checklist with owner, target, scope-confirmation, downstream-routing, and safe-sharing steps for reviewer or on-call handoff. The package includes examples/payment-page-script-inventory.json and examples/payment-page-security-headers.json as starter attachments, --script-inventory-from-snapshot can turn an observed third-party-inventory runtime snapshot into a review starter, and --script-inventory-audit can compare the approved inventory with a fresh runtime snapshot before reviewer handoff. The audit fails on blocking script drift or required inventory metadata gaps, while separately reporting optional risk, data-access, approval-ticket, and iframe-scoped script context so checkout owners can improve the packet before QSA review. Each audit also includes a Review Assistant Packet with source-free prompts for BYO AI or internal reviewers, including safe-input boundaries and reminders not to include source code, payment data, customer data, provider keys, or secrets. The final PCI report now includes a PCI DSS Review Assistant that turns evidence gaps, signed-release proof, script authorization, observed script drift, header change evidence, runtime incident routing, and QSA handoff boundaries into checkout-owner actions without sharing source code, protected output, raw script rows, raw response headers, raw incident payloads, payment-card data, provider keys, customer data, or secrets. GitHub Actions workflows can run the same audit gate with payment-script-inventory, runtime-inventory-snapshot, and script-inventory-audit-report action inputs, can convert a checkout HAR into header evidence with payment-page-har, payment-page-headers-baseline, payment-page-url-pattern, and payment-page-headers-report, and can assemble the final source-free PCI packet with pci-dss-v4-evidence, pci-dss-v4-report, and pci-dss-v4-json-report. Use signed-release and watermark inputs when the PCI packet needs to pass rather than document incomplete evidence. The action also adds a step summary and workflow annotations for the first audit, header, or PCI findings. The report is not a Report on Compliance and does not replace a QSA-led assessment; it gives your team release artifacts that are easier to review.
npx jso-protector --config jso.config.json \
--watermark checkout-2026-06 --watermark-key "$JSO_WATERMARK_KEY" \
--sign-release "$JSO_RELEASE_SIGNING_KEY"
# Optional: generate a starter from scripts observed on the checkout page.
npx jso-protector \
--script-inventory-from-snapshot reports/runtime-inventory.json \
--script-inventory-output reports/payment-script-inventory.json
# Optional: convert a browser or synthetic-monitor HAR export into the
# source-free security-header snapshot used by the PCI evidence report.
# The header snapshot includes a source-free Review Assistant Packet for
# baseline drift, CSP/reporting, HSTS, and frame-policy review.
npx jso-protector \
--payment-page-headers-from-har reports/checkout.har \
--payment-page-headers-baseline reports/payment-page-headers.baseline.json \
--payment-page-headers-output reports/payment-page-headers.json \
--payment-page-url-pattern "checkout|payment|wallet"
# Review reports/payment-script-inventory.json before audit use. Set
# authorized, justification, owner, category, integrity, and lastReviewedUtc.
# Compare the approved inventory with the runtime snapshot before handoff.
# The audit output includes a source-free Review Assistant Packet for BYO AI
# or internal reviewer triage; do not add source code, payment data, or keys.
npx jso-protector \
--script-inventory-audit reports/payment-script-inventory.json \
--runtime-inventory-snapshot reports/runtime-inventory.json \
--script-inventory-audit-output reports/payment-script-inventory-audit.json \
--json
# In GitHub Actions, use the JSO action inputs:
# payment-script-inventory: reports/payment-script-inventory.json
# runtime-inventory-snapshot: reports/runtime-inventory.json
# script-inventory-audit-report: ${{ runner.temp }}/payment-script-inventory-audit.json
# payment-page-har: reports/checkout.har
# payment-page-headers-baseline: reports/payment-page-headers.baseline.json
# payment-page-url-pattern: checkout|payment|wallet
# payment-page-headers-report: ${{ runner.temp }}/payment-page-headers.json
# pci-dss-v4-evidence: 'true'
# pci-dss-v4-report: ${{ runner.temp }}/pci-dss-v4.md
# pci-dss-v4-json-report: ${{ runner.temp }}/pci-dss-v4.json
# pci-dss-v4-organization: Example Corp
# pci-dss-v4-beacon-url: https://www.javascriptobfuscator.com/v1/runtime/beacon.ashx
# pci-dss-v4-siem: splunk-hec
# In Dashboard Monitoring, export runtime incidents to CSV or JSON.
npx jso-protector compliance pci-dss-v4 \
--manifest dist-protected/jso-manifest.json.sig \
--root dist-protected \
--beacon-url https://www.javascriptobfuscator.com/v1/runtime/beacon.ashx \
--siem splunk-hec \
--script-inventory reports/payment-script-inventory.json \
--script-inventory-audit reports/payment-script-inventory-audit.json \
--payment-page-headers reports/payment-page-headers.json \
--runtime-incidents reports/runtime-incidents.json \
--output pci-evidence.md
Short version: protect first-party checkout logic, leave provider SDKs compatible, inventory the scripts that actually load, snapshot payment-page security headers, forward runtime events, and keep signed release evidence with every payment-page deployment.