Contents

Content Security Policy

 

Padlock
Before getting started with performing bespoke changes to the appearance and behaviour of your Payment Pages, we need to ensure sufficient security precautions are undertaken in order to ensure your site reference continues to function as expected and remains secure once testing has been completed.

 

Please read the following information carefully before proceeding on to the next steps.

 

Due to the increasing number of JavaScript skimming attacks against e-commerce service providers, we have introduced an additional security standard called Content Security Policy.

 


 

What is Content Security Policy (CSP)?

CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. It is important to be protected against these threats, as they could compromise the integrity of your data or leave your customers exposed to the risk of fraud.

For further information on CSP, you can refer to the Mozilla documentation:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

 


 

Configuration

Thumbs up
If you are not making modifications to your Payment Pages using custom mark-up, you do not need to make any additional changes to be protected by CSP, as this is enabled on all new site references by default.

 

If you would like to implement custom styling to your Payment Pages, you will need to contact our Support Team to ensure CSP-blocking is enabled on your test site reference. You will also need to provide a list of trusted URIs (Uniform Resource Indicators) that are to be permitted access from your mark-up. Typical examples would be when you need to reference externally-hosted scripts or images for purposes of rendering certain visual aspects of your checkout and/or to perform analytics.

Note: To include a URI in the white-list, the resource needs to be loaded over HTTPS.

 

Info
We will block communications to any URIs not present in the aforementioned list to better protect your account from interference by unauthorised third parties. For this reason, it is important to thoroughly test your changes on your test site reference before applying to your live site reference.

 


 

Maintenance

Should you need to update the URI whitelist for any of your site references in future, please contact our Support Team with your request and we will update the configuration accordingly. We will notify you when the new URIs have been whitelisted and are available to use as part of your solution.

If you have any questions or require further clarification, please do not hesitate to contact us.

 


 

Tick
Your progress

Now that you have configured your Content Security Policy, you can begin to learn how to customise your checkout.