Content Security Policy (CSP)

    This article will outline how to add/edit Content Security Policies in the Powered By Jumbo Admin platform.

    What Is Content Security Policy (CSP)

    Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement, to malware distribution.

    By injecting the Content-Security-Policy (CSP) headers from the server, the browser is aware and capable of protecting the user from dynamic calls that will load content into the page currently being visited.

    Why Is Content Security Being Implemented?

     

    Prerequisites

    • Access to the Powered By Jumbo Admin
    • Admin account with access to edit the site configuration

    1. CSP Settings

    Navigate to Operations > Platform config > Site

    Report blocked scripts in bugsnag – This will turn on reporting to be sent to Jumbo. Please only turn this function on once ensured all scripts/content has been added to the policy.

    Set policy to ‘report-only’ – to test what will be blocked when turning it on.

    image-14-1024x698.png

    2. How To Check If Something Is Being Blocked

    Turn the CSP on to Report only

    Navigate to your site and open the developer tool in your browser and set it to Console

    image-15 (1).png

    When there is a script detected running and CSP is turned on in Report Only mode, it will prompt with an error message [Report Only] Refused to load the script ‘https://maps.googleapis.com’

    Identify which script/content has been found running and note it down e.g https://maps.googleapis.com

    3. How To Add A New Content Security Policy

    Under site config > Content Security Policy click edit and scroll all the way to the bottom

    image-17-1024x300.png

    Click + Add Item

    Fill in the Description field – Explain as detailed as possible what the script does

    Add the Source – in most cases, this will be the URL you found during your investigation with the Developer tool. Detailed documentation on all possible configurations is to be found here.

    image-18-1024x471.png

    Once added scroll up to save the changes

    image-1-1024x317.png

    Updated on 6 March 2023
    Was this article helpful?
    0 out of 0 found this helpful