Step-by-Step Setup
Step 1: Create External Application
Why do you need to create an External Application?
The External Application serves as your authentication mechanism for secure communication between your website and Firstoken Monitor. When CSP violations occur on your payment pages, your server needs to authenticate these reports using a signed JWT token before sending them to our monitoring endpoints. This ensures that:
Only legitimate reports from your domain are processed
Malicious actors cannot flood your monitoring with fake violations
Each report is cryptographically signed and verifiable
Your monitoring data remains secure and tamper-proof
The Signing key type generates the secret key you'll use to create JWT tokens that authenticate each CSP violation report.
Setup Instructions:
Access your Firstoken console and navigate to External Applications
Click "+ New External Application"
Fill in the basic information:
Name:
Monitor my checkout page
(or your preferred name)Description:
Application for payment page monitoring
Key Type: Select "Signing"
In Permissions, make sure to select:
Monitor a Page
Configure IP Whitelist:
Add IPs from where requests will be made
For development, you can temporarily use
0.0.0.0/0
Save the configuration
Important: Securely save your Secret Key - you'll need it to generate JWT tokens.
Step 2: Create Page Monitor
Go to Monitor > Pages in the console
Click "+ New Page Monitor"
Configure the page information:
Name:
Monitor my Checkout Page
Description: Description of your payment page
Base URL:
https://your-site.com/checkout
(your payment page)URL patterns:
/*
(to monitor all sub-routes)
Connect your External Application:
In the "External Application" section
Select the application you created in Step 1
Configure notifications:
Add email addresses that will receive alerts
The account owner's email is automatically included
Save the configuration
After creating the monitor, you'll receive a unique URL like:
https://monitor.firstoken.co/v1/pages/8BD7A644AC
Step 3: Implement CSP on your server
Now you need to configure your Content Security Policy (CSP) to send reports to Firstoken Monitor when security violations are detected.
Basic example with Express.js:
const express = require('express');
const jwt = require('jsonwebtoken');
const app = express();
const SECRET_KEY = 'your-firstoken-secret-key'; // From Step 1
const MONITOR_URL = 'https://monitor.firstoken.co/v1/pages/8BD7A644AC'; // From Step 2
// Function to generate JWT token
function generateToken() {
return jwt.sign(
{ jwtPayload: {} },
SECRET_KEY,
{ expiresIn: '5d' }
);
}
// CSP middleware for payment pages
app.use('/checkout', (req, res, next) => {
const token = generateToken();
res.setHeader('Content-Security-Policy',
`default-src 'self'; ` +
`script-src 'self' https://captures.firstoken.co https://api.firstoken.co; ` +
`style-src 'self' https://fonts.googleapis.com; ` +
`img-src 'self' data: https://fonts.googleapis.com; ` +
`connect-src 'self' https://api.firstoken.co; ` +
`font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; ` +
`object-src 'none'; ` +
`base-uri 'self'; ` +
`form-action 'self'; ` +
`frame-ancestors 'self'; ` +
`frame-src https://captures.firstoken.co; ` +
`child-src 'self'; ` +
`worker-src 'none'; ` +
`report-uri ${MONITOR_URL}?t=${token}`
);
next();
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Even simpler example (no dependencies):
const jwt = require('jsonwebtoken');
const SECRET_KEY = 'your-firstoken-secret-key';
const MONITOR_URL = 'https://monitor.firstoken.co/v1/pages/8BD7A644AC';
function generateToken() {
return jwt.sign({ jwtPayload: {} }, SECRET_KEY, { expiresIn: '5d' });
}
function addCSPHeader(req, res, next) {
const token = generateToken();
res.setHeader('Content-Security-Policy',
`default-src 'self'; script-src 'self'; style-src 'self'; ` +
`img-src 'self'; font-src 'self'; connect-src 'self'; ` +
`frame-ancestors 'self'; frame-src 'self'; child-src 'self'; ` +
`worker-src 'none'; report-uri ${MONITOR_URL}?t=${token}`
);
next();
}
// Use on your payment routes
app.use('/checkout', addCSPHeader);
app.use('/payment', addCSPHeader);
CSP Configuration for different scenarios
For sites with external JavaScript:
function generateCSPForPaymentProviders() {
const token = generateToken();
return `default-src 'self'; ` +
`script-src 'self' https://captures.firstoken.co https://api.firstoken.co https://www.googletagmanager.com; ` +
`connect-src 'self' https://api.firstoken.co https://www.google-analytics.com; ` +
`frame-src https://captures.firstoken.co https://api.firstoken.co/proxy; ` +
`style-src 'self' https://fonts.googleapis.com; ` +
`font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; ` +
`img-src 'self' data: https://www.google-analytics.com; ` +
`report-uri https://monitor.firstoken.co/v1/pages/8BD7A644AC?t=${token}`;
}
For sites with CDN:
function generateCSPForCDN() {
const token = generateToken();
return `default-src 'self'; ` +
`script-src 'self' https://cdn.firstoken.co https://captures.firstoken.co; ` +
`style-src 'self' https://cdn.firstoken.co https://fonts.googleapis.com; ` +
`font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; ` +
`img-src 'self' data: https://cdn.firstoken.co; ` +
`frame-src https://captures.firstoken.co; ` +
`frame-ancestors 'self' https://captures.firstoken.co; ` +
`report-uri https://monitor.firstoken.co/v1/pages/8BD7A644AC?t=${token}`;
}
Step 4: Verification and Testing
1. Verify your CSP is active:
Open your browser's developer tools and go to the Network tab. Look for response headers and confirm that Content-Security-Policy
is present.
2. Test report generation:
Try loading an unauthorized script on your page to generate a CSP violation and verify that the report is sent to Firstoken Monitor.
3. Check notifications:
Verify that alerts reach the configured destinations:
Email notifications: Alerts sent to configured email addresses
Webhook notifications: If you've configured a webhook in the Firstoken console, violations will also be sent via HTTP POST to your specified URL
4. Monitor the dashboard:
Log into your Firstoken console to view real-time violation reports and detailed incident analysis.
Last updated
Was this helpful?