Skip to main content

Content Security Policy (CSP) and 3DS v2

  • Updated

At Rvvup, we take security seriously and support merchants in implementing best practices such as Content Security Policy (CSP) headers. However, if you have integrated Rvvup for card payments with 3D Secure 2 (3DS2), you may notice that enforcing CSP in full is not possible. Here’s why.

 

Understanding 3D Secure 2 and External Domains

3DS2 is a security protocol designed to reduce fraud and increase transaction approval rates. It involves additional authentication steps handled via an embedded iframe or full-page redirection to the card issuer’s Access Control Server (ACS).

Modern implementations of 3DS2 involve communication across multiple external domains, including those operated by:

  • Card issuers
  • Schemes (e.g. Visa, Mastercard)
  • Directory servers
  • ACS providers
  • 3DS SDK and authentication components

This network of third-party domains means that your checkout experience—especially the embedded 3DS2 challenge flows—relies on resources being loaded from domains outside of your own store’s domain.

 

Why CSP Is Problematic in This Context

When enforcing a strong CSP on your site (typically via the Content-Security-Policy HTTP header), you are required to specify which sources are allowed to load scripts, styles, frames, and other resources.

However:

  • The domains used by card issuers and schemes are not fixed. New domains may be introduced at any time without notice.
  • The 3DS2 flow includes iframes, postMessages, and redirects that can be blocked by CSP rules.

As a result, if CSP is enforced strictly (Content-Security-Policy: frame-src 'self'; for example), the authentication flow will likely break, leading to failed payments.

 

Avoid Strict Enforcement on Payment Pages

For critical pages such as the checkout or payment confirmation, consider applying relaxed or no CSP to avoid disrupting 3DS2 flows.

Our recommended approach is to set * in both the CSP frame-src and form-action directives to support all possible 3D ACS provider domains.

 

Conclusion:

Due to the dynamic and cross-domain nature of 3DS2, full CSP enforcement is not compatible yet with the 3DS2 standard. We recommend using CSP in a monitored, relaxed mode on payment pages and applying strict rules only to non-payment pages.

If you have any questions or would like assistance configuring your store for optimal compatibility and security, please contact our support team.

Was this article helpful?
2 out of 2 found this helpful
Return to top

Related articles