Re: Ensure CSP is effective against XSS attacks

Ensure CSP is effective against XSS attacks

DonCappelo
Visitor
1 0 0

Good Afternoon,

I am reaching out to request assistance with enhancing the security of my Shopify store by implementing specific Content Security Policy (CSP) directives. I recently purchased a theme from the Shopify themes list and noticed a significant improvement in my store's performance as indicated by Page Speed Insights. However, I have encountered two security issues related to CSP that I need help addressing:

Missing script-src directive:

The absence of this directive can allow the execution of unsafe scripts, potentially exposing my store to XSS attacks. Missing object-src directive:

The absence of this directive permits the injection of plugins that may execute unsafe scripts. I would like to set object-src to 'none' to prevent this. Despite my efforts to manually add these directives to the theme.liquid file, I have not been successful. Could you please assist me with correctly implementing the following CSP directives in my theme.

Reply 1 (1)

Liam
Community Manager
3108 341 881

Hi Don,

 

I think your best option here would be to contact the support team of the theme you purchased as they'll have the best insight into where and how to add these directives. 

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog