Firstoken Monitor Implementation Guide

Understanding Content Security Policy (CSP)

What is a Content Security Policy?

A Content Security Policy (CSP) is a security feature implemented by web browsers to prevent various types of attacks, particularly cross-site scripting (XSS) and data injection attacks. It works by specifying which content sources are considered trusted by your web application, controlling what resources (such as scripts, stylesheets, images, and more) can be loaded and executed.

CSP is implemented through an HTTP header, providing an additional layer of security beyond same-origin policies.

Why is CSP important for payment pages?

  • Mitigate XSS Attacks: CSP prevents malicious scripts from executing, even if an attacker manages to inject them

  • Prevent Data Theft: Restricts where sensitive payment data can be sent

  • Detect Violations: Reports security violations in real-time for immediate response

  • Enforce HTTPS: Ensures all payment-related content is loaded over secure connections

  • Control Resource Loading: Explicitly whitelists trusted sources, reducing attack vectors

  • Clickjacking Protection: Controls which domains can embed your payment pages

CSP Directives Explained

Each CSP directive controls different types of resources:

default-src

Fallback for all other directives

'self'

script-src

Controls JavaScript execution

'self' https://js.stripe.com

style-src

Controls CSS stylesheets

'self' https://fonts.googleapis.com

img-src

Controls image sources

'self' data: https://cdn.example.com

connect-src

Controls AJAX, WebSocket, EventSource

'self' https://api.stripe.com

font-src

Controls font loading

'self' https://fonts.gstatic.com

frame-src

Controls iframe sources

https://js.stripe.com

object-src

Controls plugins (Flash, etc.)

'none'

form-action

Controls form submission targets

'self'

frame-ancestors

Controls who can embed your page

'self'

report-uri

Where CSP violations are sent

https://monitor.firstoken.co/v1/pages/...

Common CSP Source Values

  • 'self': Same origin (same scheme, host, and port)

  • 'none': No sources allowed

  • 'unsafe-inline': Allows inline scripts/styles (not recommended for production)

  • 'unsafe-eval': Allows eval() and similar functions (not recommended)

  • https://domain.com: Specific domain

  • *.domain.com: Any subdomain of domain.com

  • data:: Data URIs (commonly used for inline images)

What is Firstoken Monitor?

Firstoken Monitor is a specialized security solution designed to protect payment pages from attacks like XSS, web skimming, and data exfiltration. Our platform helps you comply with PCI DSS v4 requirement 11.6.1, which becomes mandatory on March 31, 2025.

Why do you need Firstoken Monitor?

  • Real-time detection of attacks like Magecart and web skimming.

  • Automatic notifications via email or webhook.

  • PCI DSS 11.6.1 compliance validated by QSA.

  • Agent-free - works only with standard CSP headers.

  • Easy integration without modifying your source code.

PreviousSDK versionsNextStep-by-Step Setup

Last updated

Was this helpful?