--- title: Malicious script and connection detection description: Cloudflare analyzes the JavaScript code of the scripts loaded by your website visitors, using threat intelligence and machine learning (including LLMs) to detect malicious behavior. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/client-side-security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ LLM ](https://developers.cloudflare.com/search/?tags=LLM) # Malicious script and connection detection Note Domain-based threat intelligence is available to all customers. Malicious script detection and malicious URL checks require Client-Side Security Advanced. Cloudflare uses three complementary mechanisms to determine if a script, or a connection made by a script, is malicious. Each mechanism checks at a different level — the script's code, the URL it is hosted at, or the domain it is served from: * **Malicious script detection** — Analyzes the actual JavaScript code for malicious behavior. * **Malicious URL checks** — Looks up script URLs against threat intelligence feeds. * **Malicious domain checks** — Looks up script domains against threat intelligence feeds. Any updates to the threat feeds will trigger new checks for previously detected scripts or connections so that the client-side resource monitoring dashboards always reflect the latest categorization. ## Malicious script detection Cloudflare analyzes the JavaScript code of the scripts loaded by your website visitors. This analysis uses machine learning, including an LLM powered by Workers AI, to reduce the false positive rate and focus on highlighting true positives such as [Magecart-type attacks ↗](https://sansec.io/what-is-magecart), where injected code skims payment card data from checkout forms. Note Cloudflare uses open-source models for this analysis. Customer data is not used to train these models. The analysis assigns a JS integrity score between 1 and 99 to each script version. Lower scores indicate higher risk: a score of 1 means definitely malicious, and 99 means definitely not malicious. Cloudflare classifies a script as malicious when its score falls below the threshold, which is currently set to 10\. Scripts that score below this threshold appear as malicious in the monitoring dashboards. In addition to the integrity score, Cloudflare will also provide individual scores for different malicious code detections (scores from 1 to 99): * **Magecart** * **Crypto mining** * **Malware** You can [configure Malicious Script Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) to receive an alert notification as soon as Cloudflare detects JavaScript code classified as malicious in your domain. Note Currently, the script classifier only runs on scripts up to 300 KB. It is recommended that you take into account other signals in your monitoring strategy, such as signals based on threat intelligence feeds (malicious URL/domain checks). ## Malicious URL checks Cloudflare will search for the URLs of your JavaScript dependencies in threat intelligence feeds to determine if any of those scripts should be categorized as malicious. The client-side resource monitoring dashboards display the scripts that were considered malicious at the top of the scripts list. You can [configure Malicious URL Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) to receive an alert notification as soon as Cloudflare detects a script from a malicious URL in your domain. Depending on your current configuration, Cloudflare can also search for malicious URLs in the URLs of outgoing connections made by scripts in your domain. To enable this check, you must [allow resource monitoring to use the full URLs of outgoing connections](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details) instead of only the hostname in the settings page. ## Malicious domain checks Cloudflare will search for the domains of your client-side JavaScript dependencies in threat feeds to determine if any of those scripts is being served from a known malicious domain. A domain previously reported as malicious can later be reported as non-malicious if, after further analysis, the domain is deemed safe. Cloudflare will also check the target domains of connections made by scripts in your domain's pages, following the same approach described for scripts. You can [configure Malicious Domain Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) to receive an alert notification as soon as Cloudflare detects a malicious script loaded from a known malicious domain in your domain. --- ## Malicious script and connection categories Scripts and connections considered malicious are categorized based on data from threat intelligence feeds. The current categories are the following: * Security threats * Command-and-Control (C2) & Botnet * Crypto mining * Spyware * Phishing * Malware * Domain Generation Algorithm (DGA) domain * Typosquatting & Impersonation Each script or connection considered malicious can belong to several categories. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/client-side-security/","name":"Client-side security"}},{"@type":"ListItem","position":3,"item":{"@id":"/client-side-security/how-it-works/","name":"How client-side security works"}},{"@type":"ListItem","position":4,"item":{"@id":"/client-side-security/how-it-works/malicious-script-detection/","name":"Malicious script and connection detection"}}]} ```