Content Security Policy Support

April 28, 2020

By: sverma

Magento v2.3.5 includes a set of powerful new security tools for Magento installations. Content Security Policies (CSP) provide additional layers of defense by helping to detect and mitigate Cross-Site Scripting (XSS) and related data injection attacks. This common attack vector works by injecting malicious content that falsely claims to originate from the website. After the malicious content is loaded and executed, it can initiate the unauthorized transfer of data.

CSP provides a standardized set of directives that tell the browser which content resources can be trusted, and which should be blocked. Using carefully defined policies, CSP restricts browser content to include only whitelisted resources. In 2.3.5, CSP initially operates by default in report-only mode to allow merchants and developers to configure the policies for the specific site and to identify the content resources to allow. In a future release, restrict mode will be enabled by default for additional out-of-the-box protection.

To learn more, see Content Security Policy Overview. For technical information, see Content Security Policies in the PHP Developer Guide

Content Security Policy Overview
 https://devdocs.magento.com/security/content-security-policy-overview.html

Content Security Policies
 https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html