What is Content Security Policy (CSP)?
CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. It is important to be protected against these threats, as they could compromise the integrity of your data or leave your customers exposed to the risk of fraud.
For further information on CSP, you can refer to the Mozilla documentation:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If CSP has been configured as part of your solution, your CSP definition should include the following:
- default-src 'none'
- script-src 'self' 'unsafe-inline' https://*.securetrading.net https://pay.google.com https://*.secure.checkout.visa.com https://*.cardinalcommerce.com https://*.mastercard.com
- connect-src 'self' https://*.sentry.io https://*.cardinalcommerce.com https://google.com/pay
- img-src 'self' data: https://*.gstatic.com https://*.vims.visa.com https://*.secure.checkout.visa.com https://*.mastercard.com
- font-src 'self' https://*.gstatic.com
- frame-src 'self' https://*.trustpayments.com https://*.securetrading.net https://*.secure.checkout.visa.com https://*.cardinalcommerce.com https://pay.google.com https://thm.visa.com https://*.mastercard.com/
- style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
- form-action 'self' https://*.cardinalcommerce.com https://*.securetrading.net
- base-uri 'self'
Your progress
Now you have reviewed your CSP, you can begin to customise your solution further and enable additional features:
- How to test your solution
- Learn what happens after transactions have been processed.
- Update your solution to support Apple Pay.
- Securely store customer payment credentials for future transactions.
- Schedule automated subscription payments.
- Full list of features.
Once you have enabled all the features you need and have thoroughly tested your solution, you can prepare to go live:
