Nova Shield: Frontend Protection Setup

Nova Shield is the frontend security layer for Nova Scan. It runs as a tiny JavaScript agent on your site, watching for DOM tampering, malicious script injection, and unauthorized form hijacking in real time.

What Nova Shield Protects Against

  • πŸͺž DOM injection: malicious scripts added after page load
  • πŸ“ Form hijacking: credit card / login form skimmers
  • πŸ”— Link tampering: redirect chain swaps
  • 🧬 Script integrity drift: modifications to your JS files
  • 🎭 Iframe injection: hidden ad/tracking frames
  • πŸ›°οΈ Suspicious outbound calls: data exfiltration attempts

Quick Setup (3 steps)

1. Enable Shield

Nova Core β†’ Nova Scan β†’ Shield β†’ Enable Frontend Protection

2. Pick a Mode

  • Learning Mode (recommended for first 7 days): Shield watches and logs everything but blocks nothing. Use this to baseline your site.
  • Active Mode: Shield blocks anything that doesn’t match the learned baseline.

3. Verify the Agent Loaded

Open your homepage in an incognito window, open DevTools β†’ Console, and look for:

[Nova Shield] Active - monitoring 9 surfaces

If you see that, you’re done. If not, see Troubleshooting below.

Configuration Options

SettingDefaultWhat it does
ModeLearningLearning vs Active
Protected PagesAllRestrict to checkout/login only if needed
Form ProtectionOnWatches all <form> elements for tampering
Link IntegrityOnHashes outbound links and re-checks on click
Script HashingOnLocks first-party JS to known-good hashes
Report OnlyOffSends alerts but never blocks (even in Active mode)
Whitelist DomainsemptyDomains Shield should ignore (e.g. googletagmanager.com)

Troubleshooting

❌ Shield agent not loading

Check:

  1. Is Nova Scan active? Shield requires Nova Scan + Nova Core both running.
  2. Is your site behind a caching layer? Purge all 3 caches: Cloudflare, Hyper Nova, OPcache.
  3. Open view-source: on your homepage and search for nova-shield. If missing, the agent script wasn’t injected, check that Shield is enabled under Nova Scan settings.

❌ CORS errors in browser console

Shield reports back to your own site’s REST endpoint, so CORS is rare, but it can happen if your site has aggressive CORS headers or runs the frontend on a different domain than the WordPress backend (headless WP setups).

Fix:

  1. Go to Nova Core β†’ Settings β†’ Auth & CORS
  2. Add your frontend domain (e.g. https://example.com) to Allowed Origins
  3. Save and purge caches

If you see this in console:

Access to fetch at 'https://yoursite.com/wp-json/nova/v1/shield/report'
from origin 'https://yoursite.com' has been blocked by CORS policy

…it usually means a security plugin (Wordfence, iThemes, etc.) is stripping the Access-Control-Allow-Origin header. Whitelist the /wp-json/nova/v1/shield/* route in that plugin.

❌ Cloudflare blocking Shield reports

Cloudflare’s bot management or WAF can flag Shield’s POST reports as bot traffic. Symptoms:

  • Console shows 403 or 1010 errors when Shield tries to report
  • Shield Activity dashboard stays empty even though the agent is loaded

Fix:

  1. Cloudflare Dashboard β†’ Security β†’ WAF β†’ Custom Rules
  2. Create a rule: (http.request.uri.path contains "/wp-json/nova/v1/shield") Action: Skip β†’ All remaining custom rules + Bot Fight Mode
  3. Also exclude the path from Cloudflare β†’ Caching β†’ Cache Rules so reports aren’t cached.
  4. If you use Cloudflare Bot Fight Mode, add /wp-json/nova/v1/shield/* to the bot exclusions.
  5. Purge Cloudflare cache.

❌ Too many false positives in Active Mode

You activated too early. Switch back to Learning Mode for another 7 days, then re-enable Active Mode. Shield needs to see all your site’s normal patterns (Google Analytics, Tag Manager, third-party widgets, etc.) before it can tell what’s anomalous.

❌ Tag Manager / Analytics getting blocked

Add the third-party domain to Whitelist Domains:

  • googletagmanager.com
  • google-analytics.com
  • connect.facebook.net
  • cdn.cookielaw.org (OneTrust)
  • Any other trusted analytics/marketing tools

❌ Forms breaking on checkout pages

WooCommerce / EDD checkout forms use dynamic field generation that can trip Shield. Fix:

  1. Nova Scan β†’ Shield β†’ Protected Pages
  2. Exclude /checkout/ and /cart/ if you’re on Active Mode and seeing breakage
  3. Or switch those pages to Report Only mode

❌ Shield Activity dashboard empty

Check in this order:

  1. Is the agent loaded? (view-source: your homepage, search for nova-shield)
  2. Are reports reaching the server? (DevTools β†’ Network β†’ filter for shield/report)
  3. Is Cloudflare/WAF blocking the reports? (see Cloudflare section above)
  4. Purge OPcache: sometimes the report endpoint is stale

Best Practices

  1. Always start in Learning Mode for 7 days minimum. Skipping this guarantees false positives.
  2. Whitelist your analytics/marketing stack before going Active.
  3. Run Nova Scan + Shield together – Scan catches what’s already there, Shield catches what tries to get in.
  4. Check Shield Activity weekly during the first month to tune your whitelist.
  5. Use Report Only mode on critical pages (checkout, login) for the first 2 weeks of Active Mode – you get alerts without breaking customers.

Common Question

Q: Does Shield slow down my site? A: The agent is ~9KB gzipped and runs after page load. Real-world impact is under 5ms on first paint.

Q: Does Shield work with HyperNova caching? A: Yes. Shield’s agent is injected at render time and the report endpoint bypasses cache automatically.

Q: Will Shield see my visitors’ personal data? A: No. Shield only hashes structural patterns (DOM shape, script hashes, form field counts). It never reads field values or sends content off-site.

Q: Can I run Shield without Nova Scan? A: No. Shield is a feature of Nova Scan and requires it active.

© Nova Heaven. All rights reserved.