← Back to Baseline

MB-R089

Checkout Content Security Policy enforced

C04 HTTPS & TLS Enforcement High

Checkout and payment pages must enforce a strict Content Security Policy that limits scripts, frames, connections, and form submissions to approved domains. Weak or missing CSP makes payment pages easier to abuse for browser-side skimming. Validate checkout-specific `script-src`, `connect-src`, `frame-src`, `form-action`, and reporting directives.

Why it Matters

A checkout Content Security Policy limits where scripts, frames, forms, images, and network requests can load from. Without CSP enforcement, XSS or injected third-party code has more room to exfiltrate payment data.

Report-only mode is useful for tuning, but enforcement is what blocks unauthorized behavior. Checkout should have a deliberate policy aligned to payment providers and required services.

Verification Steps

Header check

curl -I https://mystore.com/checkout | grep -i content-security-policy
# Expected: enforcing Content-Security-Policy header, not only Report-Only

Policy review

# Confirm script-src, frame-src, connect-src, img-src, and form-action are scoped to approved providers

Remediation / Fix Guidance

  1. Enable Magento CSP for storefront checkout and payment routes.
  2. Start with report-only tuning, then move checkout to enforcement.
  3. Allow only required payment, fraud, analytics, and first-party domains.
  4. Remove unsafe inline/eval allowances where possible.
  5. Monitor CSP violation reports for unexpected checkout behavior.

Examples

Fail Example
Content-Security-Policy-Report-Only: script-src *
# Only reports and permits broad sources → FAIL
Pass Example
Content-Security-Policy: default-src 'self'; script-src 'self' https://js.gateway.example; frame-src https://checkout.gateway.example;
# Enforced and scoped → PASS

References