Skip to content

Strict Mode in Checkout

Hyvä Checkout enforces strict Content Security Policy (CSP) on the checkout route to meet PCI-DSS 4.0 compliance requirements. This configuration disables the unsafe-eval and unsafe-inline directives for scripts, preventing the execution of dynamically evaluated code and inline event handlers.

The strict CSP mode requires all scripts to be authorized with cryptographic nonces and prohibits inline event handlers like onclick. This security enhancement protects checkout pages from XSS attacks and script injection vulnerabilities.

Enforced strict CSP mode

Hyvä Checkout enforces strict Content Security Policies on the checkout route. This is a mandatory security requirement for PCI-DSS 4.0 compliance.

CSP Configuration in etc/config.xml

Magento's CSP implementation allows defining security policies for specific routes using the etc/config.xml file. Hyvä Checkout configures strict CSP for the checkout index route by default.

The following XML configuration shows how Hyvä Checkout enforces strict CSP. The report_only setting is disabled, meaning violations will block script execution rather than just logging warnings. The policies section disables eval, inline, and event_handlers for script execution.

    <!-- disable inline scripts on hyva checkout -->
    <csp>
        <mode>
            <storefront_hyva_checkout_index_index>
                <report_only>0</report_only>
            </storefront_hyva_checkout_index_index>
        </mode>
        <policies>
            <storefront_hyva_checkout_index_index>
                <scripts>
                    <eval>0</eval>
                    <inline>0</inline>
                    <event_handlers>0</event_handlers>
                </scripts>
            </storefront_hyva_checkout_index_index>
        </policies>
    </csp>

Configuring Custom Routes for Strict CSP

If you use custom routes for custom checkout functionality, you should apply the same strict CSP policies to those routes. This is particularly important for payment provider routes that handle sensitive customer data.

Example: Payment Provider Route

Consider a payment module Payment_Provider that includes a route /payment/pay(/index). The route configuration in etc/frontend/routes.xml defines the route structure:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
    <router id="standard">
        <route id="payment_provider" frontName="payment">
            <module name="Payment_Provider"/>
        </route>
    </router>
</config>

Enforcing Strict CSP on Custom Routes

To enforce PCI-DSS 4.0 compliant CSP on this custom payment route, add the following XML configuration to your module's etc/config.xml file. This configuration follows the same strict policy pattern used by Hyvä Checkout.

etc/config.xml 

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd"
>
    <default>
        <!-- disable inline scripts on payment pages -->
        <csp>
            <mode>
                <storefront_payment_provider_pay_index>
                    <report_only>0</report_only>
                </storefront_payment_provider_pay_index>
            </mode>
            <policies>
                <storefront_payment_provider_pay_index>
                    <scripts>
                        <eval>0</eval>
                        <inline>0</inline>
                        <event_handlers>0</event_handlers>
                    </scripts>
                </storefront_payment_provider_pay_index>
            </policies>
        </csp>
    </default>
</config>

Determining the CSP Config Key for a Route

Magento CSP configuration keys follow a specific naming convention based on the route structure. For the route /payment/pay/index, the CSP config key is storefront_payment_provider_pay_index.

Each part of the config key is determined as follows:

  • Area prefix (storefront or admin): The Magento area where the route is available. For checkout pages, this will always be storefront.
  • Route ID (payment_provider): The value of the id attribute in the route configuration (see etc/frontend/routes.xml).
  • Action path (pay): The action path (that is, the folder in the Controllers directory).
  • Action class (index): The action class basename.

Report-Only Mode for Development

During development and testing, you can enable report-only mode to observe CSP violations without blocking script execution. When enabled, the browser logs CSP violations to the console but still executes the scripts.

To enable report-only mode, set <report_only>1</report_only> in the etc/config.xml file. This allows you to identify and fix CSP violations before enforcing strict mode in production.

CSP violation reporting

Magento provides facilities to configure a report URI, where browsers can send CSP violations. Please refer to the Magento Developer Documentation for more information.