Let’s discuss what content security policy(csp) is and how it can help us in improving our Magento store security. As the name suggest this policy is used to safeguard the data, integrity of the application while loading the scripts or any resource into the browser. Server sends the csp header in response and tells the browser to whitelist the origin of resources that are explicitly mentioned by merchant or by the developers and force browser to restrict execution of any other script those origin is not mentioned in the policy.
Content security policy is playing a powerful role in detection, mitigation and is a proven extra layer of defense for attacks like cross site scripting, credential thefts, session hijacking, as well as in preventing any script, resources to load on store that doesn’t belongs to the trusted origin.
Implementing csp in magento
CSP can be implemented in report-only mode or in restrict mode, but it is always advised to first go with traditional report-only mode. As in report-only mode what browser actually does is,whenever policy violation occurs it will only throw exception in console or will report the exception through the report uri but will not restrict the execution of scripts.
report-only mode can be helpful in identifying possible policy violators in early stage of development of our store. As during this stage we can make a whitelist of resources and origins of scripts that we trust and are required for effective and smooth performance of our applications.
Once we have figured out the resources and done with our whitelist we can shift to restrict mode, hereon no scripts and resources such as .js, .css, .jpg, or .svg files from other origins that are not mentioned in our policy will be restricted from execution in our magento store.
It is also possible to configure different policies for store front and admin dashboard as resources might be required from different origins in both cases along with that we can also define policy for specific pages too.
Conclusion
The robust nature of csp can help us in improving overall security of our store by restricting the violators where report only mode will help us to improve our policy over the course of time.
In case of any help or query, please contact us or raise a ticket.