Content Security Policy (CSP) settings in the Nexudus Members Portal in alignment with PCI DSS 4.0 requirements
As part of our commitment to security and compliance, we are implementing changes to the Content Security Policy (CSP) settings in the Nexudus Members Portal in alignment with PCI DSS 4.0 requirements.
🚨 What’s Changing?
Starting April 2025, the Members Portal will enforce a stricter CSP, which is a browser-level security mechanism that controls how and from where content such as scripts, stylesheets, fonts, and other assets are loaded.
This update will affect any external scripts, stylesheets, or other files that are being loaded in your Members Portal, including:
- Embedded third-party widgets (e.g., chat, analytics, video embeds)
- Custom scripts added via the HTML editor or template overrides
- External fonts, images, or stylesheets
✅ What You Need to Do
If you are using any custom code or third-party services that load external resources in the Members Portal, please ensure that:
- All external URLs are secure (i.e., use HTTPS).
- The domains from which these resources are loaded are explicitly whitelisted in the CSP headers.
- You review your current portal customizations to ensure compatibility with a restrictive CSP policy.
The default portal codebase will provide a list of approved domains for the integrations we support such as Google Analytics or the different payment systems we connect to.
You can find more information about how to add your own CSP rules here.
💡 Why This Matters
This update is a crucial step toward ensuring:
- Compliance with PCI DSS 4.0 requirements on secure script execution.
- Improved protection against cross-site scripting (XSS) and related threats.
- A more secure browsing experience for your members.