Download our free guide - 42 ways to improve your product page
Flying Spares Case Study by magic42

Flying Spares

International B2B Magento with 240k catalogue, Khaos Control Integration and digital marketing.
Find out more
Stone Computers Case Study by magic42

Stone Computers

Adobe Magento Commerce B2C, B2B portal and PunchOut sites and bespoke loan payment solution.
Find out more
Alan-Paine-Case-Study-Featured-Image

Alan Paine

Multisite, B2C migration from Magento to Shopify Plus with ERP integration.
Find out more
haws case study image (1)

Haws Watering Cans

B2C eCommerce strategy, UX improvements, AdWords and Klaviyo email marketing management.
Find out more
Alan-Paine-Case-Study-Featured-Image

Alan Paine

Multisite, B2C migration from Magento to Shopify Plus with ERP integration.
Find out more
Berry Flirt smoothie pouring into a glass

Berry Flirt

Fast moving B2C theme and bundling solution on Shopify
Find out more

Call Us

Speak to a Shopify expert:

0121 663 6360

Get in touch 
October 16, 2023

How Magento’s Content Security Policy keeps you secure

In a world dominated by technology and connectivity, online safety measures such as Magento’s Content Security Policy are crucial.

More than 2.8 billion cyber attacks occurred in the first half of 2022. That doesn’t include the 5,000,000+ mobile malware, adware and riskware attacks within just one quarter, alone. This can prove devastating for an eCommerce website, which is why it’s imperative to mitigate these concerns. One such way is by implementing a Content Security Policy.

What is a Content Security Policy?

In its simplest terms, a Content Security Policy (CSP) is a set of rules that website owners can set to specify who can load what content on their site. This can prevent the running of unwanted malware scripts, card skimming and misleading elements loading to the page. Customers therefore receive an extra layer of protection when browsing the website.

Another way to think about it is by imagining you’re giving a list of trusted friends (trusted sources) to a bouncer (the browser) and relaying, “Only let these friends (sources) can attend and send content to my party (website).” This creates a whitelist of trustworthy sources (shown below). The end result is that this helps prevent unwanted or potentially harmful content from being loaded, enhancing the website’s security.

Magento Content Security Policy coding showing several whitelisted websites

What is a Content Security Policy in the Context of Magento?

CSP features are a part of both Magento Open Source and its licensed variant, Adobe Commerce.

Released back in Magento 2.3.5, these CSP features can be applied on a per website level.

What Are the Benefits of Implementing Magento’s CSP?

One key benefit is that Magento CSP can make sure malicious content links and any associated scripts are instantly blocked from the protected website. This ensures sure customers are safe to make purchases on your website.

Adobe Commerce even goes one step further with its ability to encrypt sensitive information, such as those used at the payment gateway. Customer transactions can therefore be kept secure and their card details safe.

Magento security services can also be combined with additional safety measures, such as two-factor authentication (2FA). When used with these security hardening methods, a Magento CSP or Adobe Commerce Content Security Policy works in harmony to protect both you and your customers.

How can the CSP be customised?

Both Magento CSP and Adobe Commerce CSP feature two customisable modes:

  • Report mode recognises, but does not block each URL linking to the page and reports on any that are suspicious
  • Restrict mode blocks any unrecognised URLs and associated threats linked to the website.

One way to measure a page’s current mode is to right-click the page and select ‘Inspect’. From there, click the ‘Console’ tab. Any issues will be presented there immediately, with a clear indication on whether the details are being reported or restricted entirely.

An experienced developer can set up the Magento CSP for you, initially in report mode and then into restrict mode. Testing is often iterative to set this up, as an area of the website may trigger requests for further content and involve additional testing (such as a live chat pulling through a favicon icon). This will however ensure the content you want is pulled through or blocked.

It’s worth noting that you’ll need to continue to maintain the CSP as changes are made to your site. For example, adding a new tracking script will be automatically blocked in restrict mode. The domain and type of policy will first need to be whitelisted, then tested to ensure the connection is authorised (shown below). Usually, this would form part of a typical development process using a standard release procedure from a staging and production website.

Magento and Adobe Commerce CSP Coding showing a large whitelist for individual website URLs.

Concerned About Magento Security?

We take a proactive approach in protecting your website. As we are a UK based Magento agency, our developers are well-versed in Magento’s Content Security Policy and are happy to help ensure your content is protected.

Contact us for more information about your Magento CSP and we will be happy to help.

magic42 is unique in that it evolved from Mobile Fun, an award-winning online retailer with 20 years of experience, 27 international websites and a global distribution network managed from the heart of Birmingham.
Company No. 11572347 VAT No. 310 2436 61
© Copyright 2023 magic42 Limited - All Rights Reserved
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram