Skip to content

Introduction

Technical documentation for Hyvä Themes

To get started with CSP, please refer to the Hyvä Theme developer documentation.

PCI-DSS 4.0 Compliance

To achieve PCI-DSS 4.0 compliance, we must implement strict Content Security Policies (CSP) that enhance security by controlling how scripts are executed on our pages.

Key Requirements

Script Execution Controls: - The unsafe-inline and unsafe-eval policies for scripts must be disabled - All inline JavaScript requires authorization through a valid nonce attribute on <script> tags - Alpine.js must be updated to a CSP-compatible version

Checkout Page Changes

The following security measures are now enforced on checkout pages:

Strict CSP Implementation:

  • All scripts must include a valid nonce for authorization
  • Scripts must be present in the original page source and cannot be dynamically injected
  • No exceptions are permitted for inline script execution without proper authorization

These changes ensure that only explicitly authorized scripts can execute, significantly reducing the risk of cross-site scripting (XSS) attacks and meeting PCI-DSS 4.0 security standards.