Magento 2 CSP Whitelisting

Rating:
100% of 100
£120.00
Compatible with Magento 2 community and enterprise 2.3.3 - 2.4.x including cloud edition

This Magento 2 CSP whitelisting module streamlines the creation and management of Content Security Policy (CSP) whitelists. By simplifying the process directly within the Magento 2 admin panel, it eliminates the need for complex code modifications. This user-friendly extension is particularly valuable for Magento 2.4.7 stores with stricter CSP enforcement, allowing for easy whitelist management without compromising security.

  • Create and manage CSP whitelists for URLs or hosts directly from the Magento 2 admin panel
  • Enable or disable specific CSP directives with individual policy control
  • Granular Host Whitelisting
  • Manage whitelists within a user-friendly interface, streamlining the CSP configuration process..
  • No need to modify code with each new module installation or external URL integration, saving development time
  • Supports "hash" type CSP Whitelist
  • Bypass Magento 2.4.7 restrict mode CSP enforcement easily
  • Ensure no critical data points or resources are missing from your store due to CSP

Free Support

up to 60 days

Free Upgrades

up to 1 year

Fully open source

 

5 Easy to whitelist external URL and inline script
With just a few clicks, we were able to whitelist external URLs and inline scripts. The user interface within Magento admin is intuitive, making it easy even for those who aren't very tech-savvy. The support team is also very responsive and helpful, addressing any queries we had promptly. Overall, I highly recommend this extension for anyone looking to fix CSP errors on your site :-)
Composer Package name:
scommerce/cspwhitelist
Latest Version:
2.0.2

Product description

Magento 2 Content Security Policy (CSP) Whitelisting 

Compatible with Magento 2 community and enterprise 2.3.3 - 2.4.x including cloud edition

Content Security Policy (CSP) is a powerful security measure that restricts the resources a web page can load. By implementing a well-defined CSP, you significantly reduce the attack surface of your Magento store, making it more resistant to malicious scripts, injections, and other web-based threats.

This extension grants you complete control over your CSP configuration. The user-friendly interface allows you to effortlessly enable/disable the extension, and configure individual CSP directives.

Problem and the Solution

Running a Magento 2 store is like running a high-end boutique. You want to showcase your products in the best light, attract the right customers, and ensure everything is secure. But unlike a brick-and-mortar store, online threats can lurk in the shadows of your code. That's where Magento 2 Content Security Policy (CSP) comes in – your virtual security guard, keeping the bad guys out and the good guys flowing through.

Imagine CSP as a bouncer with a VIP list. It checks every script, style, and font trying to enter your website against a pre-approved list. Only those on the list (think trusted vendors and your own custom code) get access. This significantly reduces the risk of malicious code injection, a tactic hackers use to steal data or take control of your site.

Here's the catch: overly strict CSP rules can be like an overzealous bouncer, turning away legitimate customers (read: essential functionalities). You might find your fancy product sliders malfunctioning or social media buttons disappearing. This can lead to frustrated shoppers and lost sales – not exactly the outcome you're looking for.

So, how do you strike the balance between security and functionality? Enter user-friendly Magento 2 CSP whitelisting module. This acts like velvet ropes at your virtual door. You can easily create and manage whitelists for trusted URLs and domains directly from your Magento 2 admin panel. No more wrestling with complex code!

Identifying and Fixing Magento CSP Errors

  • Open your site in Google Chrome Browser
  • Check console logs
  • Each CSP error will have Content Security Policy directive (for example img-src, connect-src, script-src) etc. along with host name.
  • For example Refused to load the image 'https://region1.google-analytics.com/g/collect...' because it violates the following Content Security Policy directive: "content-src...". In this example content-src is the policy id and .region1.google-analytics.com is the host which can be added in the configuration to fix this error

Magento 2 CSP Whitelisting

  • Once identified simply add in all the hosts visible in the above image, in extension configuration under the directive "content-src" . After which this error will no longer be displayed in the console and the host shouldn't be blocked anymore.

CSP Directives: Explained

Here we will explain each of CSP directives in detail so that you are able to better identify the error in your browser console and make the appropriate entries in the module to fix them. Here's a breakdown of common CSP directives and their explanations:

  1. default-src

    • Purpose: Sets the default policy for loading content such as JavaScript, images, CSS, fonts, AJAX requests, and frames. If other directives are not specified, this policy will be applied.
    • Example: default-src 'self'
    • Explanation: Allows content to be loaded only from the same origin as the page.
  2. script-src

    • Purpose: Controls what JavaScript can be executed on the page.
    • Example: script-src 'self' https://apis.google.com
    • Explanation: Allows scripts to be loaded from the same origin and Google's API services.
  3. style-src

    • Purpose: Specifies the sources for stylesheets.
    • Example: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
    • Explanation: Allows styles from the same origin, inline styles (which can be risky), and Google Fonts.
  4. img-src

    • Purpose: Defines from where images can be loaded.
    • Example: img-src 'self' https://images.example.com
    • Explanation: Allows images to be loaded from the same origin and a specific image CDN.
  5. connect-src

    • Purpose: Limits the origins that can be connected to via scripts (like AJAX calls).
    • Example: connect-src 'self' https://api.example.com
    • Explanation: Only allows connections to the same origin and a specific API endpoint.
  6. font-src

    • Purpose: Controls the sources for web fonts.
    • Example: font-src 'self' https://fonts.gstatic.com
    • Explanation: Allows fonts to be loaded from the same origin and Google Fonts CDN.
  7. object-src

    • Purpose: Specifies valid sources for the <object>, <embed>, and <applet> tags.
    • Example: object-src 'none'
    • Explanation: Disallows all usage of these tags, enhancing security.
  8. media-src

    • Purpose: Controls the origins from which media files (like audio and video) can be loaded.
    • Example: media-src 'self' https://media.example.com
    • Explanation: Allows media to be loaded from the same origin and a specific media CDN.
  9. frame-src

    • Purpose: Specifies valid sources for nested browsing contexts using <frame> and <iframe>.
    • Example: frame-src 'self' https://trustedpartner.com
    • Explanation: Allows iframes from the same origin and a trusted partner site.
  10. child-src

    • Purpose: Specifies valid sources for web workers and nested browsing contexts (like iframes).
    • Example: child-src 'self' https://example.com
    • Explanation: Allows web workers and iframes from the same origin and a specific site.
  11. worker-src

    • Purpose: Controls the sources for Worker, SharedWorker, or ServiceWorker scripts.
    • Example: worker-src 'self'
    • Explanation: Allows worker scripts to be loaded from the same origin.
  12. form-action

    • Purpose: Specifies which URLs can be used as the target of form submissions.
    • Example: form-action 'self' https://forms.example.com
    • Explanation: Allows form submissions to the same origin and a specific forms endpoint.
  13. frame-ancestors

    • Purpose: Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
    • Example: frame-ancestors 'self' https://trustedpartner.com
    • Explanation: Allows the page to be framed only by the same origin and a trusted partner.
  14. base-uri

    • Purpose: Restricts the URLs which can be used in a document’s <base> element.
    • Example: base-uri 'self'
    • Explanation: Allows the base URL to be set only to the same origin.
  15. report-uri

    • Purpose: Specifies the URL where the browser sends reports about policy violations.
    • Example: report-uri https://report.example.com/csp-violations
    • Explanation: Violations of the CSP are reported to the specified URL.
  16. report-to

    • Purpose: Defines a reporting group which can be used to specify endpoints for reporting.
    • Example: report-to csp-endpoint
    • Explanation: Utilizes the Reporting-Endpoints defined in the Report-To header for CSP violations.

The main highlights of the module are-:.

  • Effortless Whitelisting: Easily add whitelisted resources for various CSP policies (script-src, style-src, etc.) through a user-friendly interface. No more manual configuration hassles!
  • Enhanced Security: Maintain a secure environment by whitelisting only trusted resources while mitigating Cross-Site Scripting (XSS) and other attacks.
  • Streamlined Workflow: Save valuable development time with straightforward configuration.
  • Improved User Experience: Eliminate broken functionality and ensure a seamless user experience for your customers.
  • Granular Control: Define whitelisted resources by domain, subdomain, or specific URL path for maximum security.
  • Multi-Store Support: Manage whitelists for multiple Magento 2 stores from a single location.
  • Ensure you are ready for Magento 2.4.7 restrict mode CSP enforcement.
  • Supports "hash" type CSP Whitelist for style and Script Src CSP errors(NEW!)
  • Easy to install and manage
  • Flexible and user-friendly interface.
  • Easy configuration
  • It can be easily disabled from admin interface.



We offer 60 days of free support and 12 months of free upgrade for any standard Magento site when you buy this extension. You can also get our installation service for a small fee. If you want more benefits, you can purchase our 12 months of free premium support and free lifetime upgrade package. Please contact us if you need any assistance or customization for this extension. We will reply to you within 48 hours. We may also offer you a special deal or a free solution if we like your idea.


** Please refer to our FAQ or T&C section for running our extensions on multiple domains or sub-domains

FAQ

Frequently Asked Questions

 

Q. How do I access the configuration page for the CSP whitelisting extension in my Magento store's admin panel?
A. To access the configuration page, log in to your Magento admin panel and navigate to Stores->Configuration->Scommerce Configuration
Q. Can I enable or disable the CSP whitelisting functionality easily through the extension's configuration page?
A. Yes, the extension provides an option to enable or disable its functionality directly from the configuration page. You can toggle the setting based on your security requirements or preferences.
Q. How do I add new host entries to whitelist specific domains for each CSP directive?
A. In each CSP directive section, there should be a dynamic row functionality that allows you to add new host entries. Simply click the "Add Record" button or similar, and a new row will appear where you can select the type of entry (e.g., 'host', ) and enter the host name (e.g., '*.google-analytics.com').
Q. What happens after I save the configuration changes in the CSP whitelisting extension?
A. When you save the configuration, the extension updates the CSP headers of your Magento store to reflect the whitelisted hosts for each enabled policy. This ensures that only approved resources can be loaded from the specified domains according to the configured policies.
Q. Is it possible to revert back to default CSP settings or remove the CSP headers altogether?
A. Yes, if needed, you can disable the CSP whitelisting extension, which should revert the CSP headers to their default settings or remove them entirely. This action is available within the extension's configuration options.
Q. What should I do if I encounter issues with the CSP whitelisting extension, such as performance degradation or conflicts with other extensions?
A. If you experience any issues or performance concerns with the extension, you should first check the extension documentation or user guide for troubleshooting tips. Additionally, you can reach out to the support team for assistance in resolving any technical issues or conflicts.
Q. Can I customize the CSP directives beyond the predefined options provided by the extension?
A. The extension typically offers predefined CSP directives based on common security best practices. However, if you have specific customization requirements beyond these options, you may need to consult with our support team.
Q. Can I test the effectiveness of the CSP policies configured by the extension before deploying them in a production environment?
A. Yes, it's advisable to test the CSP policies in a staging or development environment before deploying them in production. This allows you to identify any potential issues or unintended consequences of the policies before they impact live users.
Q. Does the extension weaken Magento's security?
A. When adding or changing whitelist, ensure to include only those domains that are recognised and trustworthy. This precaution is crucial because unauthorised or compromised domains may contain malicious scripts.
Q. What if I accidentally whitelist a malicious source?
A. Promptly remove any malicious sources from your configuration to blacklist them and ensure the removal of such scripts from your website.
Q. What are the ways of adding a host URL in order to whitelist it?
A. In total, there are three ways to add a host URL. With htttps, without https and with astrisk. For Example- a)https :// xyz  b) xyz  c) *. xyz. By doing so, user would be able to whitelist the domains and subdomains that contains xyz
Q. Does the module fix inline Style and Script Src errors?
A. Yes, we have added support for "Hash" type CSP whitliest, using which you can whitelist inline Style and Script CSP errors. Please check our USER GUIDE for detailed steps on fixing such errors.

Q. How can I get license key for my development website?
A. Please login to your account and Go to My account section > From the left menu select Generate Dev License key > Enter the Dev site url and select the extension from the dropdown and click on generate to get the license key
Q. Can I test the extension before buying?
A. Unfortunately we can't provide you extension for testing purposes but we have demo available for most of our extensions and happy to provide full refund if the extension doesn't work
Q. Can I request for customisation on your extensions?
A. Yes we do provide all sort of customisation for our clients at the reasonable rates. And if we believe the customisation will help our product then we also provide great discount on the customisation
Q. I have two live domains, do I need a separate license key for each live domain?
A. Yes you need to buy a separate license key for each live domain (www.site.com) or sub-domain (de.site.com) or subfolder (www.site.com/de). If you are buying licenses for more than four live sites in one transaction then we can offer you 30% discount on total amount
Q. How can I upgrade my extension to the latest version?
A. If your extension is within the free upgrade period (12 months from purchased date) then simply email us with your order number and our team will send you the latest version of the extension but if it is outside free upgrade period then you need to buy an upgrade using the following link
https://www.scommerce-mage.com/magento-extension-installation-service.html

Once you received the latest version of our extension then we would highly recommend to delete all the files and folder of our extension from your website first before uploading the latest version because we might have removed existing files and keeping existing files could cause problems on your website.
Q. Does my license get expired after certain period?
A. No, your license is not going to get expired but we would highly recommend upgrading to get all the latest fixes (including security fixes if any), improvements and new features. In the upgrade, we also ensure it is compatible with the latest version of Magento and when you upgrade you will have a smooth transition.
Q.Where can I download the extension files?
A. Please login into your account on our website and go to the download link under my account section to download the extension package.
Q.Can you provide a key that works for our development (NOT PRODUCTION) environment which will work on a dynamic URL, for example, 12334.gitpod.com and 4567.gitpod.com?
A. Unfortunately it is not possible to generate license keys based on the dynamic URLs. License keys need to be generated per domain or subdomain whether it is production or non-production.
Q. How can I manually uninstall your module?
A. Please follow the below steps -:

Step 1: Navigate to our store and login to your account. Then go to the My Account Section, on the left menu click on Composer Instructions.
My account section
Step 2: Next, run the config commands shown on the top of the page then click on the extension that you want to install. A composer require command will be revealed in the dropdown menu. Run the command then clear caches to complete the installation. Composer instructions
Q. Do you support SPA (Single Page Application) / PWA (Progressive Web Application) / AMP ?
A. Unfortunately, we don’t support SPA or PWA or AMP but we may be supporting them in future depending upon the demand.

Change Log

Version 2.0.2
2024-08-23 13:48:33
We have enhanced our CSP Whitelist Module to support the "hash" type, as recommended in the Adobe Commerce Security Guidelines. This update allows to whitelist inline CSS and JS inside style and script tags by generating a SHA-256 hash of a tag's content and encoding it as BASE64.
Version 2.0.1
2024-06-07 07:49:55
In the latest update, we have refined the behavior of the report only mode flag. It will now be operational exclusively on pages other than the checkout page. This adjustment aligns with the restrict mode requirements introduced in Magento 2.4.7, which necessitate the checkout page to always operate in restrict mode. Consequently, the checkout page will maintain restrict mode regardless of the report flag's status.
Version 2.0.0
2024-05-23 18:53:19
Initial Release
Show More
Show Less

Reviews 1

Write Your Own Review
Write a Review
You may also like