Table of Contents & Menu
On this page
Navigation

Content Security Policy (CSP) for Hyvä Themes

Content Security Policy (CSP) is a crucial browser security mechanism, especially for Magento and Hyvä developers. PCI-DSS 4.0 mandates disabling unsafe-eval and unsafe-inline directives on payment pages from April 1, 2025, to prevent script injection attacks. This document outlines these PCI-DSS requirements for Hyvä themes and the CSP-compatible solutions Hyvä offers. For a general overview of CSP, refer to our blog post: What is CSP and why should I care?.

PCI-DSS 4.0 Requirements for Payment Pages

From April 1, 2025, PCI-DSS 4.0 enforces stricter CSP policies on payment-related pages. Specifically, the unsafe-eval and unsafe-inline directives must be disallowed to prevent JavaScript injection attacks.

Why is PCI-DSS becoming more strict?

Modern credit card skimming attacks no longer rely on compromised server-side payment forms. Since most merchants use payment service providers (PSPs) that handle payment processing via redirects or iframes, attackers have shifted tactics.

Current attacks inject JavaScript that redirects customers to phishing sites mimicking the legitimate PSP. After customers enter payment credentials, they are forwarded to the real site without noticing the interception.

Strict CSP policies prevent this attack by blocking unauthorized script execution, even when payment forms are served by external PSPs.

Which Pages Require Strict CSP?

The PCI-DSS 4.0 specification (requirement 6.4.3) broadly states:

All payment page scripts that are loaded and executed in the consumer's browser

However, the exact scope remains ambiguous. It's unclear if this applies solely to checkout pages or also to pages featuring in-context payment buttons (e.g., PayPal Express, Apple Pay).

The PCI-DSS 4.0.1 Self Assessment Questionnaire (SAQ-A) offers limited clarification:

For SAQ A, Requirement 6 applies to merchant server(s) with a webpage that either 1) redirects customers from the merchant webpage to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP's/payment processor's embedded payment page/form (for example, one or more inline frames or iframes).

Factors Affecting Compliance Requirements

Compliance interpretation may vary based on:

  • Merchant's country of operation
  • Type of goods sold
  • Security track record of merchant and hosting provider
  • Payment service provider requirements

Merchant Responsibility for PCI-DSS Compliance

Merchants are solely responsible for evaluating their specific PCI-DSS compliance requirements and implementing appropriate measures. Hyvä cannot make this determination. While Hyvä provides CSP-compatible versions of both Hyvä Theme and Hyvä Checkout, merchants must select the implementation strategy that best fits their compliance needs.

Hyvä CSP Implementation Options

Hyvä offers several CSP implementation strategies to align with various compliance needs:

Strategy Description Use Case
Strict CSP checkout only Enable CSP strict mode only on checkout pages Balances security with development flexibility
Strict CSP checkout + redirect buttons CSP checkout with redirect-based in-context payments Preserves UX while ensuring compliance
Full theme CSP compatibility Use Alpine CSP build site-wide Maximum security, requires more code migration

For Alpine.js CSP compatibility details, see Alpine CSP. For Hyvä Checkout CSP configuration, see Hyvä Checkout CSP Documentation.