Skip to content

Content Security Policy (CSP)

Currently Hyvä CSP is unreleased

This is a documentation preview.
Please watch the #update-notifications channel in Slack to be notified when it is available.

In order to be compliant with PCI-DSS 4.0, strict Content Security Policies (CSP) have to be enforced.
This requires disabling the unsafe-inline and unsafe-eval policies for scripts.

All inline JavaScript allowed to be executed on the page has to be authorized with a valid nonce attribute on the <script> tag.
Also, a CSP-compatible version of Alpine.js has to be used.

Changes to the checkout

  • Strict CSP is enforced on the checkout pages.
  • All scripts must be authorized by having a valid nonce.
  • All scripts must be present in the page source when loaded and cannot be dynamically injected.

Technical documentation for Hyvä Themes

To get started with CSP, please refer to the Hyvä Theme developer documentation.