Skip to content

Security Compliance

Introduction

Our company, Hyvä Themes, takes security seriously. We have implemented various measures to protect our customers' data and ensure the integrity of their online stores.

Script Hijacking & Injection

When using the CSP-enabled version of Hyvä Theme and Hyvä Checkout, the frontend is protected by a strict Content Security Policy (CSP). This policy works by sending HTTP headers that define exactly which scripts are allowed to run in the browser.

Importantly: Enforced strict CSP in Hyvä Checkout

On every checkout page load/request, the browser applies the policy, and only scripts explicitly permitted by the CSP (including valid nonced inline scripts) are allowed to execute.

PCI-DSS relevance (payment pages)

Strict CSP is also an important part of PCI-DSS 4.0 alignment for payment-related pages: PCI-DSS 4.0 requires disallowing the unsafe-eval and unsafe-inline CSP directives for scripts on payment-related pages (effective April 1, 2025).

For the full background, scope discussion, and implementation strategy options, see the dedicated documentation: Content Security Policy (CSP) for Hyvä Themes.

Hyvä uses nonces for inline scripts. This means:

  • Each allowed inline script is assigned a unique, random nonce on every request.
  • The browser will only execute scripts that carry the correct nonce.
  • Any injected, unknown, or malicious scripts (e.g., from XSS or compromised third-party tags) are blocked by the browser and simply won't run.

This significantly reduces the risk of:

  • Script hijacking
  • JavaScript injection
  • Malicious third-party scripts executing on the checkout

In short: when using the CSP version of Hyvä Theme and Hyvä Checkout, only explicitly approved scripts can run on the frontend, including the checkout journey.

Security Policy

We have a comprehensive SECURITY.md that outlines our approach to security in our projects.

Reporting a Vulnerability

If you believe you've found a security vulnerability in this project, we encourage you to let us know. Please report it by emailing us at security at hyva.io We take security seriously and will respond as quickly as possible.

Bug Bounty Program

Please note that we do not have a paid bug bounty program at this time. However, we appreciate your efforts in helping us keep our project secure.

Guidelines for Reporting

When reporting a vulnerability, please include the following information:

  • A clear description of the vulnerability.
  • Steps to reproduce the issue.
  • Any relevant screenshots or logs.
  • Your contact information (optional) for follow-up questions.

Response Timeline

We aim to acknowledge your report within 5 business days. Please note that complexity may affect the time it takes to fix the issue, and there is no fixed deadline for resolutions.

Disclosure Policy

We will determine public disclosure timelines on a case-by-case basis once an issue has been resolved. Our goal is to balance transparency with user safety.

Our Commitment

We commit to:

  • Acknowledging your report promptly.
  • Investigating all reported vulnerabilities thoroughly.
  • Keeping you updated on our progress towards fixing the issue.

Content of SECURITY.md

You can find an example hyva-themes/magento2-theme-module.