- Docs
- PCI DSS Library
- Content Security Policy (CSP)
Content Security Policy (CSP)
Content Security Policy (CSP) acts as a firewall for your webpages, built into all modern browsers as a web standard. It allows you to specify a whitelist of authorized third-party domains that your payment page can safely interact with, ensuring that only trusted sources are permitted to execute on your site. CSP helps detect or block any unauthorized third-party interactions that fall outside of this list, preventing access to sensitive data by unapproved entities.
Advantages
- Higher Security Assurance: CSP is built into modern browsers, making it less likely to be bypassed compared proprietary solutions.
- Real-Time Monitoring and Protection: CSP offers real-time oversight, ensuring that all user sessions on the payment page are monitored and protected from unauthorized interactions.
- Minimal Performance Impact: As a native browser feature, CSP imposes virtually no performance impact on the site, ensuring smooth functionality.
- Applies to All Resources: CSP applies to all resources, whether declared in the original HTML or dynamically loaded via JavaScript, ensuring comprehensive protection across your web page.
- No Functional Impact in Monitoring Mode: When CSP is deployed in monitoring mode, it does not interfere with the functionality of the website, allowing for secure monitoring without operational disruption.
- Whitelist-Based Filtering: CSP enforces a whitelist based filtering system, providing a secure method to control which external resources can interact with your site.
- Effective Cross-Origin Redirect Protection: CSP prevents unauthorized cross-origin redirects. For example, if a script allowed from com is redirected to b.com (not authorized by CSP), this violation will trigger an alert, and appropriate actions will be taken.
- Same-Origin iframe Coverage: CSP extends protection to same-origin iframes, such as srcdoc iframes, enhancing the security of embedded content.
- Handles Violations During Page Unload: CSP continues to monitor and enforce policies even when a page is unloading, ensuring full protection until the session ends.
Disadvantages
- Challenges with Single Page Applications (SPA): Deploying CSP on SPAs, especially when applied only to specific PCI DSS 4.0.1 scope pages, can present challenges due to client-side navigation.
- Sparse Violation Information: When a behavior violates a CSP policy, the system provides limited information, making it challenging to identify the root cause and investigate the issue further.
- Limited Behavioral Monitoring: CSP cannot monitor or control high-level behaviors such as keyloggers or scripts that read sensitive input data, like credit card information.
- Challenging for Dynamic Sites: CSP’s strict whitelist-b filtering can be difficult to maintain on dynamic websites. If the blocking mode policy is outdated, it may break site functionality by preventing new, legitimate resources from
- Simplify Deployment: Consider deploying CSP only on sections of the site under PCI DSS 4.0.1 scope, such as the checkout page, rather than applying it across the entire website.
- Engage Expert Resources: CSP policy creation and management is nuanced; it's advisable to engage internal or external experts to optimize the policy.
- Implement Practical Policies: If a full blocking mode CSP policy isn't feasible, use a monitoring mode CSP policy or combine it with a limited blocking mode policy to balance protection and site functionality.
- Leverage CSP Monitoring: Maximize the benefits of CSP by utilizing a CSP report monitoring service tailored specifically for PCI compliance.