Content Security Policy
As an additional layer of defense against cross-site scripting (XSS), clickjacking and other code injection attacks, it's recommended to put strict Content Security Policy directives in place.
This page describes which directives are required in order for Datatrans browser payment solutions to work correctly.
Warning
This document assumes that the reader already has a restrictive Content Security Policy in place. Once a CSP header is being sent, all internal and external resources must be present. In order to avoid CSP violations, make sure to declare further script, style and frame sources depending on your project.
Payment Page
The following directives are required when using Payment Page:
| Directive | Production | Sandbox |
|---|---|---|
| script-src | pay.datatrans.compayment.datatrans.bizpayment.datatrans.swisspayment.datatrans2.biz | pay.sandbox.datatrans.compilot.datatrans.biz |
| style-src | 'unsafe-inline' | 'unsafe-inline' |
| frame-src | pay.datatrans.compayment.datatrans.bizpayment.datatrans.swisspayment.datatrans2.biz | pay.sandbox.datatrans.compilot.datatrans.biz |
Example
Content-Security-Policy: default-src 'self'; script-src 'self' pay.datatrans.com payment.datatrans.biz payment.datatrans.swiss payment.datatrans2.biz; style-src 'self' 'unsafe-inline'; frame-src 'self' pay.datatrans.com payment.datatrans.biz payment.datatrans.swiss payment.datatrans2.biz
Secure Fields
The following directives are required when using Secure Fields:
| Directive | Production | Sandbox |
|---|---|---|
| script-src | pay.datatrans.compayment.datatrans.bizpci-proxy.com | pay.sandbox.datatrans.compilot.datatrans.bizsandbox.pci-proxy.com |
| style-src | 'unsafe-inline' | 'unsafe-inline' |
| frame-src | pay.datatrans.compayment.datatrans.bizpci-proxy.com | pay.sandbox.datatrans.compilot.datatrans.bizsandbox.pci-proxy.com |
Example
Content-Security-Policy: default-src 'self'; script-src 'self' pay.datatrans.com payment.datatrans.biz pci-proxy.com; style-src 'self' 'unsafe-inline'; frame-src 'self' pay.datatrans.com payment.datatrans.biz pci-proxy.com
Updated almost 5 years ago