Content Security Policy (CSP) in Magento2

What is CSP?

CSP (Content Security Policy) is an added layer of security that is used to mitigate unwanted/malicious scripts from running on a website page.

If CSP is set-up, when a user navigates to a website with a HTTP request, the website returns a Content Security Policy to the user’s browser. The user’s browser then knows what content is allowed to load and more importantly, what content to refuse as it does not exist in the CSP list.

CSP works on various types of content including; Images, Scripts, iframes and Style Sheets. Support for CSP within Magento was officially added in the 2.3.5 version.

CSP-1.png

How does CSP improve security?

When CSP is set up and running, only whitelisted content will be ran by the User’s Browsers anything that is not on the CSP list will be refused.

CSP2.png

CSP-Refused.png

This will result in an CSP Error in the console such as:

So, in the event a Magento Admin panel is compromised and a malicious user uploads an unwanted script, if CSP is set up correctly, the browser should refuse to load the content. This provides an extra layer of security and helps protects users.

Cross-site scripting (XSS) and related attacks, including as card skimmers, session hijacking, clickjacking, and more, can be prevented with a correctly set up CSP.

CSPs and built-in browser capabilities, in summary, help to prevent:

  • Loading a malicious script from an attacker’s website
  • A malicious inline script from sending credit card info to an attacker’s website
  • Loading a malicious style that will make users click on an element that wasn’t supposed to be on a page

For Magento, there are two CSP modes that can be used:

There are two modes in CSP; “report-only” and “restrict mode”. Ideally, Magento is always running with “Restrict Mode” however this is not always possible with payment gateways and their 3D Secure process.

Report Only:
Magento reports policy violations but does not interfere. By default, CSP violations are written to the browser console. Example below:

CSP-Report.png

Restrict Mode:

In this mode, Magento acts on any policy violations. The browser will refuse to load non-whitelisted content and report a CSP Error in the browser console

Strict.png

Advanced CSP Configuration

For more advanced CSP configuration, a third-party service such as report-uri.com can be used to monitor and report all CSP errors so that errors faced by customers can be whitelisted accordingly or if there is a suspicious resource there an investigation can be launched. More can be read about this here in Magento’s DevDocs

CSP-URI.png

Summary and takeaways

CSP is key-tool to maintain security and help protect against malicious attacks, however it is not the only tool a website should rely on. Keeping your Magento site patched with security updates and admin locked down is the fundamental, with CSP being one additonal security measure that can be deployed.

For example, implementing a strict CSP in Magento could be circumvented if a malicious user gained access to the server/code due to missing security patches. They could even whitelist their own malicious scripts or disable “strict” mode at that point.

If you see “CSP Errors” on your website, it is worth discussing with the development team to have these resolved. When in “report-only” mode they are not causing issues itself however the best practise would be to resolve these to keep the console clear to debug real issues.

-
For further information on how to protect your Magento site from malicious attacks, please contact us today.

Will Brammer

Head of Support