MB-R089
Checkout and payment pages must enforce a strict Content Security Policy that limits scripts, frames, connections, and form submissions to approved domains. Weak or missing CSP makes payment pages easier to abuse for browser-side skimming. Validate checkout-specific `script-src`, `connect-src`, `frame-src`, `form-action`, and reporting directives.
A checkout Content Security Policy limits where scripts, frames, forms, images, and network requests can load from. Without CSP enforcement, XSS or injected third-party code has more room to exfiltrate payment data.
Report-only mode is useful for tuning, but enforcement is what blocks unauthorized behavior. Checkout should have a deliberate policy aligned to payment providers and required services.
curl -I https://mystore.com/checkout | grep -i content-security-policy
# Expected: enforcing Content-Security-Policy header, not only Report-Only
# Confirm script-src, frame-src, connect-src, img-src, and form-action are scoped to approved providers
Content-Security-Policy-Report-Only: script-src *
# Only reports and permits broad sources → FAIL
Content-Security-Policy: default-src 'self'; script-src 'self' https://js.gateway.example; frame-src https://checkout.gateway.example;
# Enforced and scoped → PASS