less than a minute read • Updated 13 minutes ago
Configure a Content Security Policy (CSP)
How to set up and enforce a Content Security Policy on your Foxy checkout to control which scripts, styles, and other resources are allowed to load.
A Content Security Policy (CSP) acts as a whitelist for your checkout page, controlling which external domains scripts, styles, fonts, and other resources are allowed to load from. You configure it in the Foxy admin, under Settings → Checkout.
If you haven’t customized your checkout with your own scripts or templates, you can likely enable CSP directly — but we still recommend testing first using the steps below.
Why it matters
Foxy’s checkout allows custom scripts for things like tracking or analytics, and each domain those scripts load from (and send data to) needs to be allow-listed in your CSP. For example, if you add a tracking script hosted at js.example.com that sends data to tracking.example.com, you’d add both domains to your CSP. If example.com were later compromised and an attacker tried to send your customers’ data to hacker.evil.tld, the CSP would block that request. A CSP doesn’t prevent a compromise from happening, but it can significantly limit the damage — and it can also help support PCI compliance.
Steps
Step 1: Test in report-only mode
Report-only mode logs policy violations without blocking anything, so you can confirm your policy is correct before it can break your checkout.
Step 2: Enforce CSP
Once you’ve tested in report-only mode and confirmed there are no unexpected violations, copy the same settings over to the non-report-only CSP to start enforcing it.
Notes
If your checkout breaks after enabling CSP, check your reporting endpoint for the blocked domain, then add it to Custom script sources in the Foxy admin.
Always test in report-only mode first — don’t enforce a CSP you haven’t verified.
Update your CSP whenever you add a new integration or script.
Review your violation logs periodically for suspicious activity.