Security

Security configuration lets you customize the Content Security Policy (CSP) for your customer-facing website. CSP controls which external resources your store can load, helping protect against cross-site scripting and other attacks.

What is CSP?

Content Security Policy is a security feature that tells browsers which sources are allowed to load content on your website.

Default CSP configuration

Your store comes with a pre-configured CSP that includes hosts for Google Analytics, Google Tag Manager, Microsoft Clarity, Stripe, Revolut, Facebook, Cloudflare, and Google Fonts.

You only need to add additional hosts if you use third-party services not already included in the default configuration.

Configuring CSP

1. From your admin, go to Settings > Security Configuration
2. Add hosts to the appropriate CSP directive
3. Click Save changes

CSP directives

connect-src

Controls which hosts your store can connect to for:

• API requests (fetch, XMLHttpRequest)
• WebSocket connections

Add hosts here for third-party APIs or services your store communicates with.

script-src

Controls which hosts can provide JavaScript files. Add hosts here for:

• Analytics scripts
• Chat widgets
• Payment processing scripts

img-src

Controls which hosts can provide images. Add hosts here for:

• External image hosting
• Third-party badges or logos

frame-src

Controls which hosts can be embedded in iframes. Add hosts here for:

• Embedded payment forms
• Video players
• Third-party widgets

Adding hosts

For each directive, you can add multiple hosts:

1. Click Add Host
2. Enter the host URL (e.g., https://example.com)
3. Repeat for additional hosts
4. Click Save changes

Common examples

Next steps

• Manage users and their permissions
• Set up webhooks for integrations