Client-Side Protection Demo
Test CSP headers, JavaScript tampering detection, and Magecart-style attacks.
CSP Status
Off
Current mode: off
— Change via environment variable CSP_MODE=off|report|enforce
off
No Content-Security-Policy header (vulnerable)
report
CSP-Report-Only: reports violations but allows execution
enforce
Enforces CSP: blocks unauthorized scripts/styles
Inline Script Test
Test whether the browser's Content Security Policy blocks dynamically injected inline scripts.
When CSP is off, the injected script runs and modifies the DOM. When CSP is enforce, the browser blocks the script and logs a violation.
Magecart / Skimmer Simulation
Skimmer ActiveSimulates injection of a malicious third-party script that steals payment data.
Demo Payment Form
How Magecart Works
- Click "Inject Skimmer" to load the malicious third-party script
- Enter fake card data in the form above
- Click outside a field (blur event) to trigger exfiltration
- View captured data in the "Skimmed Data" section
- Set CSP_MODE=enforce and retry — the script should be blocked
Skimmed Data
No skimmed data yet. Inject the skimmer and enter card details to see captured data.
| Field | Value | Time |
|---|
CSP Violation Reports
No reports loaded. Click "Load Reports" to fetch CSP violation data.