1. Docs
  2. PCI DSS Library
  3. Content Security Policy (CSP)

Content Security Policy (CSP)

Content Security Policy (CSP) acts as a firewall for your webpages, built into all modern browsers as a web standard. It allows you to specify a whitelist of authorized third-party domains that your payment page can safely interact with, ensuring that only trusted sources are permitted to execute on your site. CSP helps detect or block any unauthorized third-party interactions that fall outside of this list, preventing access to sensitive data by unapproved entities.

Advantages
  1. Higher Security Assurance: CSP is built into modern browsers, making it less likely to be bypassed compared proprietary solutions.
  2. Real-Time Monitoring and Protection: CSP offers real-time oversight, ensuring that all user sessions on the payment page are monitored and protected from unauthorized interactions.
  3. Minimal Performance Impact: As a native browser feature, CSP imposes virtually no performance impact on the site, ensuring smooth functionality.
  4. Applies to All Resources: CSP applies to all resources, whether declared in the original HTML or dynamically loaded via JavaScript, ensuring comprehensive protection across your web page.
  5. No Functional Impact in Monitoring Mode: When CSP is deployed in monitoring mode, it does not interfere with the functionality of the website, allowing for secure monitoring without operational disruption.
  6. Whitelist-Based Filtering: CSP enforces a whitelist based filtering system, providing a secure method to control which external resources can interact with your site.
  7. Effective Cross-Origin Redirect Protection: CSP prevents unauthorized cross-origin redirects. For example, if a script allowed from com is redirected to b.com (not authorized by CSP), this violation will trigger an alert, and appropriate actions will be taken.
  8. Same-Origin iframe Coverage: CSP extends protection to same-origin iframes, such as srcdoc iframes, enhancing the security of embedded content.
  9. Handles Violations During Page Unload: CSP continues to monitor and enforce policies even when a page is unloading, ensuring full protection until the session ends.
Disadvantages
  1. Challenges with Single Page Applications (SPA): Deploying CSP on SPAs, especially when applied only to specific PCI DSS 4.0.1 scope pages, can present challenges due to client-side navigation.
  2. Sparse Violation Information: When a behavior violates a CSP policy, the system provides limited information, making it challenging to identify the root cause and investigate the issue further.
  3. Limited Behavioral Monitoring: CSP cannot monitor or control high-level behaviors such as keyloggers or scripts that read sensitive input data, like credit card information.
  4. Challenging for Dynamic Sites: CSP’s strict whitelist-b filtering can be difficult to maintain on dynamic websites. If the blocking mode policy is outdated, it may break site functionality by preventing new, legitimate resources from
Expert InsightTo ensure your Content Security Policy (CSP) serves you effectively and delivers optimal results, site owners should
  1. Simplify Deployment: Consider deploying CSP only on sections of the site under PCI DSS 4.0.1 scope, such as the checkout page, rather than applying it across the entire website.
  1. Engage Expert Resources: CSP policy creation and management is nuanced; it's advisable to engage internal or external experts to optimize the policy.
  1. Implement Practical Policies: If a full blocking mode CSP policy isn't feasible, use a monitoring mode CSP policy or combine it with a limited blocking mode policy to balance protection and site functionality.
  1. Leverage CSP Monitoring: Maximize the benefits of CSP by utilizing a CSP report monitoring service tailored specifically for PCI compliance.

By browsing this website, you agree to the Terms of Service and Privacy Policy