• 07 Jun 2024
  • Dark


  • Dark

Article summary


A script is a set of JavaScript instructions used to add or enhance a site's capabilities. In essence, it's a computer program running on a site.


Similar to the physical skimmers that are inserted to ATMs and other payment processing devices to steal personal information and payment details in particular, electronic skimmers are computer programs or scripts injected into a site for the same purpose.

First Party

A script is considered first party if it is loaded from the same domain as the website or one of the listed domains of the application. A script can also be classified as first party if the domain it originates from has the same registrant as the website's domain (e.g. a script that is loaded from a CDN owned by the website).

Third Party

A script is considered third party if it is loaded from a different domain.

Inline Script

An inline script is a script that is directly embedded in the website's HTML, and not loaded from an external file. This script will appear as "Anonymous" in the portal.

An Unidentified Script

Unidentified scripts are scripts that the Code Defender sensor could not map to a script source or the action that was performed. This usually happens when Code Defender snippet is not loaded first in the page hierarchy on the website (integration step). Please see the sensor integration section for more details.


An incident is a set of actions with some amount of risk. An incident is shown on the Dashboard if the percentage of users affected by its behavior has exceeded a predefined threshold, in order to prevent noise in the system.

  • Note: for staging applications the threshold is practically insignificant.

There are 6 main incident categories:





Domain Reputation

Suspicious Behavior

All categories have incidents of 3 risk levels: low, medium and high. An incident's risk score depends on many factors including the page type on which the behavior happened, the script's party, known/ unknown vendor, etc.


Code Defender tracks all JavaScript activities on the client's website. The actions are divided into 3 main categories: Network, DOM, and Storage.

DOM actions include script load, value access, link change, mutation etc.

Network actions include fetch, xhr, beacon, worker, rtc etc.

Storage actions include set and get cookie.

Most actions have one or two additional parameters like the fields being accessed by the script, the names of the cookies being set, or the domains the network actions are targeted to.
Actions with changing parameters of the same kind are grouped.

Monthly Unique Visitors (MUV)

The cost of Code Defender is calculated based on the number of unique visitors on the website and app per month, determined by a HUMAN cookie set on each visitor’s device.

The MUV report is generated for every account per Application ID. It can be found under Portal -> Platform Settings -> Usage


Application ID (AKA app_id), is an identifier created by HUMAN to be able to address parts of an account easily, and aggregate data by. An application can encompass one or more host domains.

Host-Domain Paradigm

Despite the fact that the Code Defender's sensor is configured per Application ID, all the data (incidents and actions) is aggregated per host domain. Users exposure to scripts and incidents is calculated per host domain.
Website domains are automatically assigned to be the host domain.
If requested, all subdomains of a given domain can be configured as host domains, and incidents will be created accordingly.

TLD - Top Level Domain

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. For example, the TLD for the URL would be


Magecart (Magento + Cart) is the name given to several cybercriminal groups targeting Magento based E-Commerce sites. The rising popularity of the Magento platform led to skimming attacks on it and other open source E-Commerce platforms to become synonymous with Magecart.

Personally Identifiable Information (PII)

Information related to an identifiable person. Though definitions change under different jurisdictions, the term is generally used to mean information such as identity details (name, SSN, etc), contact details (addresses, phone number, etc), and payment details.


Payment Card Industry's Data Security Standard is (true to its name) a standard set by the payment card industry that is required before a vendor is permitted to handle credit cards of the PCI members.


In web applications context, a vulnerability is a gap in the application that can lead to unexpected and/or undesired consequences, if exploited by an attacker.

Domain Reputation

A domain's reputation is based on its hosting of disreputable content like malware and on its use in spreading spam. The reputation is based on several sources, both internal and external and is aggregated as a level of risk, from 0 (safe) - to 100 (malicious).

Baseline \ Deviation

A baseline is a snapshot of a site's resources and behavior. When a resource on a site exhibits new behavior, it's considered a deviation from the baseline.

Suspicious Behavior

Events or actions of a script that may indicate malicious activity. For example, parts of the scripts are obfuscated, reading from clipboard, or setting a suspicious cookie.


Some scripts have interchangeable paths or different file names, due to different versions, specific bundles, etc.

Grouping is Code Defender's unique concept which is a crucial part of ensuring we don't consider similar scripts with interchangeable paths as completely different entities.

After the grouping process is complete, we can track the grouped script's behavior over time, without creating noise on the interchangeable scripts.

For example, without grouping:


would have been considered two completely separate entities, even though it is practically the same script with an updated version.

After the grouping process, the entity would look like that:[UNIQUE_ID]/template.js

and all scripts under the same rule would be part of the group.

In the Analyzer, the user can see the grouping and examples for each grouped script set

Was this article helpful?

What's Next