# Implementing Monitor

### Understanding Content Security Policy (CSP)

#### What is a Content Security Policy?

A **Content Security Policy (CSP)** is a security feature implemented by web browsers to prevent various types of attacks, particularly **cross-site scripting (XSS)** and **data injection attacks**. It works by specifying which content sources are considered trusted by your web application, controlling what resources (such as scripts, stylesheets, images, and more) can be loaded and executed.

CSP is implemented through an HTTP header, providing an additional layer of security beyond same-origin policies.

#### Why is CSP important for payment pages?

* **Mitigate XSS Attacks**: CSP prevents malicious scripts from executing, even if an attacker manages to inject them
* **Prevent Data Theft**: Restricts where sensitive payment data can be sent
* **Detect Violations**: Reports security violations in real-time for immediate response
* **Enforce HTTPS**: Ensures all payment-related content is loaded over secure connections
* **Control Resource Loading**: Explicitly whitelists trusted sources, reducing attack vectors
* **Clickjacking Protection**: Controls which domains can embed your payment pages

#### CSP Directives Explained

Each CSP directive controls different types of resources:

| `default-src`     | Fallback for all other directives     | `'self'`                                    |
| ----------------- | ------------------------------------- | ------------------------------------------- |
| `script-src`      | Controls JavaScript execution         | 'self' <https://captures.firstoken.co>      |
| `style-src`       | Controls CSS stylesheets              | `'self' https://fonts.googleapis.com`       |
| `img-src`         | Controls image sources                | `'self' data: https://cdn.firstoken.co`     |
| `connect-src`     | Controls AJAX, WebSocket, EventSource | `'self' https://api.firstoken.com`          |
| `font-src`        | Controls font loading                 | `'self' https://fonts.gstatic.com`          |
| `frame-src`       | Controls iframe sources               | `https://captures.firstoken.co`             |
| `object-src`      | Controls plugins (Flash, etc.)        | `'none'`                                    |
| `form-action`     | Controls form submission targets      | `'self'`                                    |
| `frame-ancestors` | Controls who can embed your page      | `'self' https://captures.firstoken.co`      |
| `report-uri`      | **Where CSP violations are sent**     | `https://monitor.firstoken.co/v1/pages/...` |

#### Common CSP Source Values

* `'self'`: Same origin (same scheme, host, and port)
* `'none'`: No sources allowed
* `'unsafe-inline'`: Allows inline scripts/styles (not recommended for production)
* `'unsafe-eval'`: Allows eval() and similar functions (not recommended)
* `https://domain.com`: Specific domain
* `*.domain.com`: Any subdomain of domain.com
* `data:`: Data URIs (commonly used for inline images)

### What is Firstoken Monitor?

**Firstoken Monitor** is a specialized security solution designed to protect payment pages from attacks like **XSS**, **web skimming**, and **data exfiltration**. Our platform helps you comply with **PCI DSS v4 requirement 11.6.1**, which becomes mandatory on **March 31, 2025**.

#### Why do you need Firstoken Monitor?

* **Real-time detection** of attacks like Magecart and web skimming.
* **Automatic notifications** via email or [webhook](broken://pages/V3mhRkYzTJyM9cBPq1mQ).
* **PCI DSS 11.6.1 compliance** validated by QSA.
* **Agent-free** - works only with standard CSP headers.
* **Easy integration** without modifying your source code.

Firstoken Monitor offers two distinct security monitoring products for comprehensive web application protection:

1. [**CSP Real-Time Monitoring**](/api-docs/guides/implementing-monitor/csp-real-time-monitoring.md): Real-time protection requiring code implementation
2. [**Security Headers Scanner**](/api-docs/guides/implementing-monitor/security-headers-scanner.md): Automated weekly validation with zero code implementation

These products can be used independently or together based on your security requirements.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://firstoken.gitbook.io/api-docs/guides/implementing-monitor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.