{"id":23683,"date":"2020-05-18T15:52:00","date_gmt":"2020-05-18T13:52:00","guid":{"rendered":"https:\/\/www.ecomwise.com\/?p=23683"},"modified":"2024-12-16T15:30:28","modified_gmt":"2024-12-16T14:30:28","slug":"nieuw-in-magento-2-3-5-content-security-policy","status":"publish","type":"post","link":"https:\/\/www.ecomwise.com\/en\/nieuw-in-magento-2-3-5-content-security-policy\/","title":{"rendered":"New in Magento 2.3.5: Content Security Policy"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The latest version of Magento 2.3.5. has new security functionality introduced<\/a>: The Content Security Policy (CSP). This new functionality is a great addition to the security options Magento already offers, and is considered a best practice for securing your shop. But what is a CSP and why should you apply it?<\/strong><\/p>

\u00a0<\/h3>

What is Content Security Policy (CSP)<\/strong>
<\/b><\/h1>

A website contains (many) different scripts. These scripts provide extra functionalities in your webshop, make sure the customer journey on the website is measured or keep track of how many of your ads convert. Measuring your website via Google Analytics, for example, is done via a script that is loaded.<\/p>

Most scripts are used for good purposes. Unfortunately, there are also scripts that you should keep out of your webshop. An example is a script that transmits credit card data and passwords to hackers. These scripts can only be placed when a hacker has gained access to the webshop via leaked admin data or via a\u00a0exploit<\/em>\u00a0in an extension, the template or a bug in Magento itself.<\/p>

Of course, the chances of this happening are minimal if you keep your webshop and extensions well up-to-date. However, there are past examples of attacks that have been successful. The most well-known attack is that of the\u00a0Magecart<\/a>\u00a0group that managed to channel personal data on a large scale through scripts.<\/p>

This is where a CSP comes in handy. A CSP is a rule on the website that instructs the browser which scripts can be loaded. Scripts that are not included in the CSP will also not be loaded by the browser. The CSP is a\u00a0Last line of defence<\/i>\u00a0because the script is already placed on the website but simply cannot be activated by the visitor. This prevents data from being falsely siphoned off from your website. Besides stopping scripts that are not allowed, a CSP also sends a notification when a script is not included in the CSP. This can then be acted upon quickly to remove the script as soon as possible.<\/p>

What does this mean for your webshop?<\/strong><\/h1>

CSPs are not new and are already used on many websites. However, Magento only introduced this functionality with version 2.3.5 and turns it on by default when updating. By default, CSP is set to\u00a0report-only\u00a0<\/i>mode, meaning it reports only the scripts that have not yet been added to the CSP. In your browser console you will see the error messages coming back, see the attachment for an example of the error messages. Nothing else is blocked yet. Logical, otherwise part of your website would no longer work when the CSP has not yet been set up (properly).<\/p><\/div><\/div>

\u00a0<\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
Example of the browser console when the CSP is not yet set.

<\/em><\/strong><\/figcaption><\/figure><\/div><\/div>

After you make up your CSP, the advice is the so-called\u00a0Restrict mode\u00a0<\/i>enabled on your website, actually blocking scripts if they are not included in the CSP. Only then do you have more assurance that your shop remains safe in case an unauthorised script is placed. The disadvantage of this mode, however, is that scripts you add to the shop must first be added to the CSP before they work. This can be annoying, for example, when you want to apply marketing or analytics scripts such as Hotjar. Magento is expected to introduce the\u00a0restrict mode<\/i>\u00a0will adopt as the standard in later versions. So it is wise to apply this properly now.<\/p>

Because the CSP can only be adjusted directly in the code, this is something you, as a webshop administrator, cannot easily implement yourself via the configuration of Magento. This has to do with security: if a hacker has access to the webshop, he can add his own script to the CSP. Your webshop builder can help you with this by creating the CSP for you and setting the desired mode. First, the website must be scanned for scripts that are loaded on your website. Next, the scripts have to be added to the CSP, after which the site has to be monitored whether everything is still working as desired. If desired, the\u00a0restrict mode<\/i>\u00a0are handled. Should you later want to activate a new script in the webshop, you can submit it to the website builder so that it can also be added to the CSP.<\/p>

If you need help implementing the CSP, we can support you. Visit\u00a0contact<\/a>\u00a0with us for questions, comments and the possibilities.<\/p><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

De meest recente versie van Magento 2.3.5. heeft een nieuwe beveiligings functionaliteit ge\u00efntroduceerd: De Content Security Policy (CSP). Deze nieuwe functionaliteit is een mooie toevoeging aan de beveiligingsopties die Magento al biedt, en wordt gezien als een best practice voor het beveiligen van je shop. Maar wat is een CSP en waarom moet je het […]<\/p>\n","protected":false},"author":8,"featured_media":24395,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"","_seopress_titles_title":"Nieuw in Magento 2.3.5: Content Security Policy - Ecomwise","_seopress_titles_desc":"Een website bevat (veel) verschillende scripts. Deze scripts zorgen voor extra functionaliteiten in je webshop, zorgen ervoor dat de customer journey op de website gemeten wordt of houden bij hoeveel van je advertenties converteert.","_seopress_robots_index":"","inline_featured_image":false,"footnotes":""},"categories":[29,1],"tags":[],"class_list":["post-23683","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-development","category-nieuws"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/posts\/23683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/comments?post=23683"}],"version-history":[{"count":1,"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/posts\/23683\/revisions"}],"predecessor-version":[{"id":24398,"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/posts\/23683\/revisions\/24398"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/media\/24395"}],"wp:attachment":[{"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/media?parent=23683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/categories?post=23683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ecomwise.com\/en\/wp-json\/wp\/v2\/tags?post=23683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}