Skip to content

Content Security Policy

Technical documentation for Hyvä Themes

To get started with CSP, please refer to the Hyvä Theme developer documentation.

PCI-DSS 4.0 Compliance

To achieve PCI-DSS 4.0 compliance, we must implement strict Content Security Policies (CSP) that enhance security by controlling how scripts are executed on our pages.

Key Requirements

Script Execution Controls:

  • The unsafe-inline and unsafe-eval policies for scripts must be disabled
  • All inline JavaScript requires authorization through a valid nonce attribute on <script> tags
  • Alpine.js must be updated to a CSP-compatible version

Checkout Page Changes

The following security measures are now enforced on checkout pages:

Strict CSP Implementation:

  • All scripts must include a valid nonce for authorization
  • Scripts must be present in the original page source and cannot be dynamically injected
  • No exceptions are permitted for inline script execution without proper authorization

These changes ensure that only explicitly authorized scripts can execute, significantly reducing the risk of cross-site scripting (XSS) attacks and meeting PCI-DSS 4.0 security standards.

Shared templates with Alpine components

Hyvä Checkout 1.3.x and newer run in strict CSP mode with Alpine CSP. If your checkout reuses theme templates (for example, header/footer blocks) or custom components, they must be CSP-compatible or they will break checkout rendering.

  • Update any shared templates to use the CSP-safe patterns and register inline scripts with <?php $hyvaCsp->registerInlineScript() ?> immediately after each <script>.
  • If you are unsure which templates need changes, run the CSP migration tool to scan your theme: see Hyvä Theme CSP Migration Tool.
  • The Hyvä Default Theme version 1.3.12 and newer contain CSP compatible versions of shared components, which can serve as a reference for making custom components CSP-compatible.