Content Security Policies (CSP) have been added to Magento 2, starting with Magento 2.3.5.

CSP’s are a powerful tool that helps to mitigate Cross Site Scripting (XSS) and other related attack vectors such as session hijacking and skimmers. A web server would send CSPs in the HTTP response headers Content-Security-Policy and Content-Security-Policy-Report-Only. These headers whitelist the origin locations of any style, script or other resources.

The long and short is that CSPs can help to prevent malicious scripts from being loaded, and run within your Magento 2 website.

Magento 2 now supports these headers, and by default, they are configured in “report-only” mode. Report only mode means that Magento will report any CSP violations by outputting them to your web browsers console.

Set the CSP mode

You can set the CSP mode in your own modules/extensions by editing the etc/config.xml. Change the values for storefront and/or admin to a 1 to enable report-only mode. Example below:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                    <report_only>0</report_only>
                </storefront>
                <admin>
                    <report_only>0</report_only>
                </admin>
            </mode>
        </csp>
    </default>
</config>

How do I whitelist resources?

Magento 2 has provided a number of ways to whitelist your extension or theme resources. There are a number of CSP types that Magento supports, and these are provided in full here: https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html#configure-csps-for-your-custom-codeextensiontheme

Magento recommends being cautious with your CSPs, and only add resources within extensions that require it. For example, if you only need to load a javascript file, it wouldn’t be a great idea to add a default-src policy when you could instead add a script-src policy. You can add your domain to the whitelist by adding a csp_whitelist.xml file to your extension’s etc folder.

An example is included below of how this file is structured:

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
    <policies>
        <policy id="script-src">
            <values>
                <value id="devdocs-base" type="host">https://devdocs.magento.com</value>
                <value id="magento" type="host">https://magento.com</value>
            </values>
        </policy>
       </policies>
</csp_whitelist>

Are there any extensions to manage this for me?

If you are scratching your head and wondering how to approach this, fear not. There are a number of addons that have started to appear which aim to tackle the issue, including Experius and Netalco.

M&S Cyber Attack - Anonymous Hacker
E-commerce
David Pratt

M&S Cyber Attack – How Do I Protect My Ecommerce Website?

In light of the recent cyber attack on Marks & Spencer, ecommerce security has once again been pushed into the spotlight. Here we explore what happened, why it matters, and how ecommerce business owners using Magento, Shopify or WooCommerce can reduce their risk and strengthen defences.
Read More »
Why Is My Website Not Getting Any Sales - Frustrated
E-commerce
Stacey Pratt

Why Is My Website Not Getting Any Sales?

Struggling to convert traffic into customers? From poor user experience to limited payment options and lack of marketing activity, there are many reasons your online store might not be performing. Let’s go over the most common pitfalls that hold eCommerce businesses back, and how to fix them. Whether you’re using Magento, Shopify, or WooCommerce, these insights could be the key to unlocking better sales!
Read More »
eCommerce Checkout Screen
Adobe Commerce
Stacey Pratt

Will New Buy Now Pay Later Rules Affect My Online Shop?

New UK regulations are coming for Buy Now, Pay Later (BNPL) services like Klarna and Clearpay, aiming to protect customers with affordability checks and clearer terms. But what does this mean for your eCommerce store? Find out what’s changing, when it’s happening, and how it may (or may not) affect your online checkout. It’s nothing to panic about, but it’s worth being prepared.
Read More »
DTF Digital