Content Security Policies

Brand CTRL uses Content Security Policies (CSPs) to block all unknown services from accessing your site's pages. Rather than creating a list of bad actors to block, you choose which trusted services can access your site.

With the help of Yottaa's sales engineers and customer support, you can create CSPs that specify which services are allowed to access your site.

Example: Ecommerce 5000 wants to prevent formjackers and journey hijackers from loading on their checkout page. However, they want their coupon engine and analytics tool to continue to run. They create a CSP that only allows those third parties to run on their checkout pages. The CSP blocks every other service, including unidentified services, from loading on checkout pages. They also create Page Security rules that block those third parties from accessing form data on the checkout page.

The CSP protects your site no matter which browser or device type the shopper uses. However, a different version runs depending on the shopper's browser and device type.

Blocking vs. Allowing

Every day there are new services and bad actors attempting to access your site and your customers' information. Instead of trying to identify and block every one of these services, CSP rules allow you to start by blocking every service from your site. This ensures that new and unknown bad actors cannot access your site. You then set the CSP to allow all the third parties that you actually want on your site.

Checkout Pages

We recommend creating a stricter CSP for your checkout pages than for your browse pages (such as product descriptions, categories, and home page), since checkout pages include sensitive user information. We recommend that you only allow about six third parties access. You can then create Page Security rules that protect your customers' information from these services.

Report-Only Mode and Enforce Mode

Your sales engineer or customer success team member will first create a CSP in report-only mode to gather data about how best to implement your CSP. In report-only mode, the CSP directive does not block services from accessing your site. Instead, it generates a flagged security violation every time an unallowed service accesses your site.

In order to capture all the potential traffic on your site, the CSP will run in report-only mode for several weeks. This will give you time to ensure that you allow all the third parties that are necessary for proper functioning of your site. You can monitor the data on the Brand CTRL Dashboard.

After you have created the allow list, your Yottaa sales engineer will put the CSP into enforce mode using the Rules slider. In enforce mode, the CSP directive blocks all unallowed services from accessing your site. Each time one of these services attempts to access your site, the CSP generates a blocked security violation.

See Security Rules Workflow and Basic Setup for more information.