Content Security Policy (CSP) for Hyvä Themes
Content Security Policy (CSP) is a browser security mechanism that restricts which scripts, styles, and other resources can execute on a web page. For Magento and Hyvä developers, CSP compliance is critical because PCI-DSS 4.0 requires disabling unsafe-eval and unsafe-inline CSP directives on payment-related pages starting April 1, 2025.
This page explains the PCI-DSS requirements affecting Hyvä themes and the CSP-compatible options Hyvä provides. For a general introduction to CSP concepts, see our blog post What is CSP and why should I care?.
PCI-DSS 4.0 Requirements for Payment Pages
Starting April 1, 2025, PCI-DSS 4.0 requires stricter CSP policies on payment-related pages. The unsafe-eval and unsafe-inline directives must be disallowed to prevent JavaScript injection attacks.
Why is PCI-DSS becoming more strict?
Modern credit card skimming attacks no longer rely on compromised server-side payment forms. Since most merchants use payment service providers (PSPs) that handle payment processing via redirects or iframes, attackers have shifted tactics.
Current attacks inject JavaScript that redirects customers to phishing sites mimicking the legitimate PSP. After customers enter payment credentials, they are forwarded to the real site without noticing the interception.
Strict CSP policies prevent this attack by blocking unauthorized script execution, even when payment forms are served by external PSPs.
Which Pages Require Strict CSP?
The PCI-DSS 4.0 specification states in requirement 6.4.3:
All payment page scripts that are loaded and executed in the consumer's browser
The exact scope remains ambiguous. It is unclear whether this applies only to checkout pages or also to pages with in-context payment buttons (PayPal Express, Apple Pay, etc.).
The PCI-DSS 4.0.1 Self Assessment Questionnaire (SAQ-A) provides limited guidance:
For SAQ A, Requirement 6 applies to merchant server(s) with a webpage that either 1) redirects customers from the merchant webpage to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP's/payment processor's embedded payment page/form (for example, one or more inline frames or iframes).
Factors Affecting Compliance Requirements
Compliance interpretation may vary based on:
- Merchant's country of operation
- Type of goods sold
- Security track record of merchant and hosting provider
- Payment service provider requirements
Merchant Responsibility for PCI-DSS Compliance
Each merchant is responsible for evaluating their specific compliance requirements and implementing appropriate measures. Hyvä cannot make this determination for merchants.
Hyvä provides CSP-compatible versions of both Hyvä Theme and Hyvä Checkout, but merchants must choose the appropriate implementation strategy based on their compliance requirements.
Hyvä CSP Implementation Options
Merchants can choose from several CSP implementation strategies depending on their compliance needs:
| Strategy | Description | Use Case |
|---|---|---|
| Strict CSP checkout only | Enable CSP strict mode only on checkout pages | Balances security with development flexibility |
| Strict CSP checkout + redirect buttons | CSP checkout with redirect-based in-context payments | Preserves UX while ensuring compliance |
| Full theme CSP compatibility | Use Alpine CSP build site-wide | Maximum security, requires more code migration |
For Alpine.js CSP compatibility details, see Alpine CSP. For Hyvä Checkout CSP configuration, see Hyvä Checkout CSP Documentation.