Content Security Policy

As an additional layer of defense against cross-site scripting (XSS), clickjacking and other code injection attacks, it's recommended to put strict Content Security Policy directives in place.

This page describes which directives are required in order for the Secure fields solution to work correctly.

💡
This document assumes that the reader already has a restrictive Content Security Policy in place. Once a CSP header is being sent, all internal and external resources must be present.
In order to avoid CSP violations, make sure to declare further script, style and frame sources depending on your project.

Directive	Production	Sandbox
script-src	pay.datatrans.com pci-proxy.com	pay.sandbox.datatrans.com sandbox.pci-proxy.com
style-src	'unsafe-inline'	'unsafe-inline'
frame-src	pay.datatrans.com pci-proxy.com	pay.sandbox.datatrans.com sandbox.pci-proxy.com

Example

Content-Security-Policy: default-src 'self'; script-src 'self' pay.datatrans.com pci-proxy.com; style-src 'self' 'unsafe-inline'; frame-src 'self' pay.datatrans.com pci-proxy.com

💡This document assumes that the reader already has a restrictive Content Security Policy in place. Once a CSP header is being sent, all internal and external resources must be present.

💡
This document assumes that the reader already has a restrictive Content Security Policy in place. Once a CSP header is being sent, all internal and external resources must be present.