In a world dominated by technology and connectivity, online safety measures such as Magento’s Content Security Policy are crucial.
More than 2.8 billion cyber attacks occurred in the first half of 2022. That doesn’t include the 5,000,000+ mobile malware, adware and riskware attacks within just one quarter, alone. This can prove devastating for an eCommerce website, which is why it’s imperative to mitigate these concerns. One such way is by implementing a Content Security Policy.
In its simplest terms, a Content Security Policy (CSP) is a set of rules that website owners can set to specify who can load what content on their site. This can prevent the running of unwanted malware scripts, card skimming and misleading elements loading to the page. Customers therefore receive an extra layer of protection when browsing the website.
Another way to think about it is by imagining you’re giving a list of trusted friends (trusted sources) to a bouncer (the browser) and relaying, “Only let these friends (sources) can attend and send content to my party (website).” This creates a whitelist of trustworthy sources (shown below). The end result is that this helps prevent unwanted or potentially harmful content from being loaded, enhancing the website’s security.
CSP features are a part of both Magento Open Source and its licensed variant, Adobe Commerce.
Released back in Magento 2.3.5, these CSP features can be applied on a per website level.
One key benefit is that Magento CSP can make sure malicious content links and any associated scripts are instantly blocked from the protected website. This ensures sure customers are safe to make purchases on your website.
Adobe Commerce even goes one step further with its ability to encrypt sensitive information, such as those used at the payment gateway. Customer transactions can therefore be kept secure and their card details safe.
Magento security services can also be combined with additional safety measures, such as two-factor authentication (2FA). When used with these security hardening methods, a Magento CSP or Adobe Commerce Content Security Policy works in harmony to protect both you and your customers.
Both Magento CSP and Adobe Commerce CSP feature two customisable modes:
One way to measure a page’s current mode is to right-click the page and select ‘Inspect’. From there, click the ‘Console’ tab. Any issues will be presented there immediately, with a clear indication on whether the details are being reported or restricted entirely.
An experienced developer can set up the Magento CSP for you, initially in report mode and then into restrict mode. Testing is often iterative to set this up, as an area of the website may trigger requests for further content and involve additional testing (such as a live chat pulling through a favicon icon). This will however ensure the content you want is pulled through or blocked.
It’s worth noting that you’ll need to continue to maintain the CSP as changes are made to your site. For example, adding a new tracking script will be automatically blocked in restrict mode. The domain and type of policy will first need to be whitelisted, then tested to ensure the connection is authorised (shown below). Usually, this would form part of a typical development process using a standard release procedure from a staging and production website.
We take a proactive approach in protecting your website. As we are a UK based Magento agency, our developers are well-versed in Magento’s Content Security Policy and are happy to help ensure your content is protected.
Contact us for more information about your Magento CSP and we will be happy to help.