Content Security Policy (CSP) is an advanced security feature that acts like a “whitelist” for a web page, controlling which external scripts, styles, fonts, and other resources are allowed to load. You set (in the Foxy admin, under settings → checkout) which domains scripts can load from, and the browser will prevent anything outside the policy from loading.

Though Foxy has strict security controls, we do allow for flexibility on our checkout templates. This allows our users to include their own custom scripts (which need to be allow-listed in the CSP).

As an example, let's say you want to include some tracking functionality on your checkout, via a script hosted at js.example.com, which sends data to tracking.example.com. You add those domains to your CSP and the browser allows the scripts to load and execute. If example.com is hacked, however, and the attacker wants to exfiltrate data to hacker.evil.tld, the CSP will prevent the browser from sending that data.

A CSP doesn't prevent the hack, but it can mitigate the impact. Further, a CSP can be helpful in ensuring PCI compliance.

What it does: Logs policy violations without blocking anything. This lets you review your policy first, ensuring you've added the necessary domains.

How to set it up:

1. Turn on “Enable Report-Only CSP” in your Foxy admin, under settings → checkout.
2. Set a Reporting URL (where violation logs are sent). Any violations in the policy will be sent here, but it must be a URL.

• Use a free service like [Pipedream](https://pipedream.com) or [Webhook.site](https://webhook.site). You just need an endpoint to receive the reports (sent from the browser, in the background). There are 3rd-party services to monitor your CSP violations. Or if you can add scripts to your hosting environment, any endpoint that takes a request and outputs it anywhere (to an email, a log, or even to a Slack channel) would work fine.
• Contact Foxy for help here. We may have an as-yet-undocumented option for you to try.

1. Add trusted domains under Custom script sources:

• List domains hosting scripts/styles you use (e.g., example.com, *.example.com).

What to monitor:

• Check the reporting URL for unexpected violations (e.g., missing domains).
• Test all checkout flows (guest/logged-in users, payments, coupons).

Once you've tested and confirmed your report-only CSP doesn't trigger alerts, you can copy the settings over to the non-report-only CSP.

Critical Checks After Enforcing:

1. Monitor your reporting endpoint.
2. Confirm your checkout continues to function as expected.
3. Review and confirm any custom JavaScript (e.g., analytics, UI changes, etc.) works as desired.

Contact Foxy if you run into any issues.

Broken checkout after enabling CSP: Check your reporting endpoint for blocked domains, then add them to “Custom script sources” in the Foxy admin.

1. Always test in Report-Only mode first!
2. Update CSP when adding new integrations.
3. Regularly review violation logs for suspicious activity.