Prevent Hacks! Why CSP is crucial for your Magento shop

Effectively address XSS issues with Content Security Policy (CSP)

Security remains an essential part of any Web application, especially when talking about e-commerce platforms such as Magento. A common threat is Cross-Site Scripting (XSS), where malicious actors can execute malicious scripts on your website. Fortunately, a Content Security Policy (CSP) provides powerful mitigation against these attacks.

What is a CSP?

A Content Security Policy ensures that only the code you have explicitly allowed is executed. This not only protects against XSS, but also prevents other unwanted scripts from being loaded. CSP has been a recommended measure for years. Back in 2016, for example, Google recommended applying strict-dynamic for more robust security.

With the release of Magento from version 2.4.7, it is now also the explicit advice to apply a strict CSP, starting with the checkout page. This advice will also apply to other pages within Magento in the future.

Recommendations from the industry

The use of CSP is widely supported by industry and government agencies:

• Google: In 2016, the use of strict-dynamic was promoted because whitelists were no longer considered sufficiently secure. Read more.
• Government: The updated ICT Security Guidelines for Web Applications (2024) recommend the standard use of security headers, including CSP. Read the guidelines.
• Adobe: Magento's development team offers extensive documentation on implementing CSP. Check out the guide.

How do you check your current CSP?

Want to know if your site meets the recommended security settings? Test it easily via internet.nl. Here you get instant insight into the effectiveness of your security headers, including CSP.

The roadmap to a strict CSP

At Vicus, we recommend a structured approach to implementing a strict CSP:

1. Start with a scan: Use a browser plugin to click through your website and generate reports on all CSP violations.
2. Analyze the reports: Gives you insight into the rules that need to be adjusted.
3. Modify the CSP (or ask Vicus to do that for you):
   • Add external scripts to the policy XML.
   • For inline scripts, add a nonce via the code.
   • Hash inline scripts and add them to the CSP whitelist.
4. Keep monitoring: CSP generates ongoing reports on violations. These should be monitored and the policy updated as needed.

How Vicus can help you

Implementing a strict CSP can be time-consuming, but at Vicus, we have the expertise to streamline this process. As Magento experts since 2007, we ensure a seamless implementation, from initial scanning to ongoing monitoring. Plus, we host your Magento environment on a flexible platform that meets the highest security standards, such as ISO 27001 and PCI-DSS.

Our USPs:

• Years of experience with Magento 1, Magento 2 and OpenMage.
• Expertise in implementing security solutions such as CSP.
• Hosting on a platform with optimized performance and strict security.

Conclusion

Addressing XSS issues and other security risks starts with implementing a strict CSP. With Magento 2.4.7, this becomes even more important. Don't wait any longer and let us optimally secure your webshop. Contact Vicus and take the first step to a secure e-commerce environment!