Content Security Policy (CSP)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

If enabling CSP and the web server is configured to return the Content-Security-Policy for inline styles, a pinned version of messenger will be required to ensure that the secure hash algorithm (SHA) does not change and therefore break the content policy.

Version pinning

If using version pinning - the following script URLs can be used within the client script

  • For SBRegion eu-1: Use //lightning.production.helium.servismatrixcdn.com/v2/<version_number>/bundle-messenger.js
  • For SBRegion us1: Use //lightning.us1.helium.servismatrixcdn.com/v2/<version_number>/bundle-messenger.js

Inline Styles

If setting a CSP of style-src 'self' a SHA must be provided as part of the CSP content as follows

	<meta
		http-equiv="Content-Security-Policy"
		content="
			style-src 'self' fonts.googleapis.com cdn.jsdelivr.net cdn.datatables.net *.servismatrixcdn.com *.servismatrix.com sborg-heupper-stgevopayments.s3.amazonaws.com cognito-identity.eu-west-1.amazonaws.com 'sha256-<value_here>';
		"
	/>