CSP (Content Security Policy) is a standard that can help to put an extra layer of protection for Open cart stores against cyberattacks like Cross-site Scripting (XSS), ClickJacking and data injection attacks.
The Content-Security-Policy is a response header that limits the browser and tells what content source can be trusted and which should be blocked.
By using CSP-defined policies, you can restrict browser content to eliminate risk.
How To implement CSP in Open cart?
CSP defining a variety of content restrictions by using directives and each directive consist of a name followed by one or more values. You can add a CSP response header in httpd.conf or .htaccess files.
Example 1:
|
1 |
Header set Content-Security-Policy "default-src 'self';" |
Where “default-src” is directive, this will set a default policy to allow only content from the same origin.
Example 2:
|
1 |
Content-Security-Policy: default-src *://*.test.com |
This header will allow sources from any subdomain of test.com, using HTTP or HTTPS protocols.
Example 3: You can also provide directives at the page level as well by using HTML meta tags.
|
1 2 |
<meta http-equiv="Content-Security-Policy" content="default-src 'self'"> |
List of CSP Directives:
CSP is having a rich set of policy directives that allow the Open cart store owner to monitor the flow of policies in a granular way –
- Default-src : specifies the default resource fetch policy, and its veil can be “self” (allow content from the same origin) or “none”(block everything that’s not explicitly whitelisted).
- Script-src : script-src is used to define a list of allowed script sources.
- Img-src : used to define list of allowed source locations for images.
- Media-src: used to define list of allowed source locations for media like video and audio.
- Object-src: used to define list of allowed source locations for plugins.
- Font-src: used to define list of allowed sources for loading fonts.
- Style-src: used to define list of allowed CSS stylesheet sources.
- Form-action: specify list of URL target locations where the website can send form data.
- Plugin-types: The list of plugin types that can be loaded from the locations in object-src.
Conclusion
CSP acts as a gatekeeper for your Open cart store. You can limit data on your store and can define which script can be executed. Content-Security-Policy is a powerful tool for protection against XSS and clickjacking attacks.
E-commerce Stores are lucrative targets for attackers in today’s world.
CSP can mitigate the risk of being targeted and can improve overall Open cart Store Security.
Although it’s not possible for every store owner to set up CSP header and check other vulnerabilities, in such a case Webkul can help through its basic security module.
In case of any help or query, please contact us or raise a ticket.