Introduction
Technical documentation for Hyvä Themes
To get started with CSP, please refer to the Hyvä Theme developer documentation.
PCI-DSS 4.0 Compliance
To achieve PCI-DSS 4.0 compliance, we must implement strict Content Security Policies (CSP) that enhance security by controlling how scripts are executed on our pages.
Key Requirements
Script Execution Controls:
- The unsafe-inline
and unsafe-eval
policies for scripts must be disabled
- All inline JavaScript requires authorization through a valid nonce
attribute on <script>
tags
- Alpine.js must be updated to a CSP-compatible version
Checkout Page Changes
The following security measures are now enforced on checkout pages:
Strict CSP Implementation:
- All scripts must include a valid nonce for authorization
- Scripts must be present in the original page source and cannot be dynamically injected
- No exceptions are permitted for inline script execution without proper authorization
These changes ensure that only explicitly authorized scripts can execute, significantly reducing the risk of cross-site scripting (XSS) attacks and meeting PCI-DSS 4.0 security standards.