Fastly

Fastly Client-Side Protection API

Fastly Client-Side Protection (CSP) provides visibility and control over third-party scripts running on your web pages. The API monitors script behavior, manages authorization status, and configures security policies to defend against client-side attacks like Magecart and formjacking. It exposes Website, Page, Script, Policy, Policy Report, Security Header, and Header Event sub-resources.

GitHub OpenAPI

Documentation

📖
Documentation
https://www.fastly.com/documentation/reference/api/client-side-protection/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/fastly/refs/heads/main/openapi/fastly-client-side-protection-openapi.yml

OpenAPI Specification

fastly-client-side-protection-openapi.yml Raw ↑ 
openapi: 3.0.3
info:
  title: Fastly Client-Side Protection API
  description: |
    Fastly Client-Side Protection (CSP) provides visibility and control over
    third-party scripts running on your web pages. The service monitors script
    behavior, manages authorization status, and configures security policies to
    defend against client-side attacks like Magecart and formjacking.
  version: '1.0.0'
servers:
  - url: https://api.fastly.com
security:
  - FastlyKey: []
tags:
  - name: Websites
  - name: Pages
  - name: Scripts
  - name: Policies
  - name: Security Headers
paths:
  /client-side-protection/websites:
    get:
      tags: [Websites]
      summary: List Websites
      operationId: listCspWebsites
      responses:
        '200': { description: A list of websites }
    post:
      tags: [Websites]
      summary: Create Website
      operationId: createCspWebsite
      responses:
        '201': { description: Created }
  /client-side-protection/websites/{website_id}:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
    get:
      tags: [Websites]
      summary: Get Website
      operationId: getCspWebsite
      responses:
        '200': { description: A website }
    patch:
      tags: [Websites]
      summary: Update Website
      operationId: updateCspWebsite
      responses:
        '200': { description: Updated }
    delete:
      tags: [Websites]
      summary: Delete Website
      operationId: deleteCspWebsite
      responses:
        '204': { description: Deleted }
  /client-side-protection/websites/{website_id}/pages:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
    get:
      tags: [Pages]
      summary: List Pages
      operationId: listCspPages
      responses:
        '200': { description: A list of pages }
    post:
      tags: [Pages]
      summary: Create Page
      operationId: createCspPage
      responses:
        '201': { description: Created }
  /client-side-protection/websites/{website_id}/pages/{page_id}:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
      - { in: path, name: page_id, required: true, schema: { type: string } }
    get:
      tags: [Pages]
      summary: Get Page
      operationId: getCspPage
      responses:
        '200': { description: A page }
    patch:
      tags: [Pages]
      summary: Update Page
      operationId: updateCspPage
      responses:
        '200': { description: Updated }
    delete:
      tags: [Pages]
      summary: Delete Page
      operationId: deleteCspPage
      responses:
        '204': { description: Deleted }
  /client-side-protection/websites/{website_id}/scripts:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
    get:
      tags: [Scripts]
      summary: List Scripts
      operationId: listCspScripts
      responses:
        '200': { description: A list of detected scripts }
  /client-side-protection/websites/{website_id}/scripts/{script_id}:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
      - { in: path, name: script_id, required: true, schema: { type: string } }
    get:
      tags: [Scripts]
      summary: Get Script
      operationId: getCspScript
      responses:
        '200': { description: A script entry }
    patch:
      tags: [Scripts]
      summary: Update Script
      operationId: updateCspScript
      responses:
        '200': { description: Updated }
  /client-side-protection/websites/{website_id}/policies:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
    get:
      tags: [Policies]
      summary: List Policies
      operationId: listCspPolicies
      responses:
        '200': { description: A list of policies }
    post:
      tags: [Policies]
      summary: Create Policy
      operationId: createCspPolicy
      responses:
        '201': { description: Created }
  /client-side-protection/websites/{website_id}/policies/{policy_id}:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
      - { in: path, name: policy_id, required: true, schema: { type: string } }
    get:
      tags: [Policies]
      summary: Get Policy
      operationId: getCspPolicy
      responses:
        '200': { description: A CSP policy }
    patch:
      tags: [Policies]
      summary: Update Policy
      operationId: updateCspPolicy
      responses:
        '200': { description: Updated }
  /client-side-protection/websites/{website_id}/policies/{policy_id}/reports:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
      - { in: path, name: policy_id, required: true, schema: { type: string } }
    get:
      tags: [Policies]
      summary: List Policy Reports
      operationId: listCspPolicyReports
      responses:
        '200': { description: Policy violation reports }
  /client-side-protection/websites/{website_id}/security-headers:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
    get:
      tags: [Security Headers]
      summary: List Security Headers
      operationId: listSecurityHeaders
      responses:
        '200': { description: Security headers observed }
  /client-side-protection/websites/{website_id}/security-headers/events:
    parameters:
      - { in: path, name: website_id, required: true, schema: { type: string } }
    get:
      tags: [Security Headers]
      summary: List Header Events
      operationId: listHeaderEvents
      responses:
        '200': { description: Header events }
components:
  securitySchemes:
    FastlyKey:
      type: apiKey
      in: header
      name: Fastly-Key
  schemas:
    CspPolicy:
      type: object
      properties:
        id: { type: string }
        directives:
          type: object
          additionalProperties:
            type: array
            items: { type: string }
        report_only: { type: boolean }
    Script:
      type: object
      properties:
        id: { type: string }
        url: { type: string, format: uri }
        host: { type: string }
        first_seen_at: { type: string, format: date-time }
        authorized: { type: boolean }