{"id":1114,"date":"2020-07-12T15:33:32","date_gmt":"2020-07-12T15:33:32","guid":{"rendered":"https:\/\/meetanshi.com\/blog\/2020\/07\/12\/disable-magento-2-content-security-policy\/"},"modified":"2026-04-22T15:41:15","modified_gmt":"2026-04-22T10:11:15","slug":"disable-magento-2-content-security-policy","status":"publish","type":"post","link":"https:\/\/meetanshi.com\/blog\/disable-magento-2-content-security-policy\/","title":{"rendered":"How to Disable Magento 2 Content Security Policy"},"content":{"rendered":"\n

Magento 2\u00a0consistently strives to offer a secure platform for online businesses, and every Magento 2 release is a source of security enhancements and performance improvements.<\/p>\n\n\n\n

New Magento releases come with exciting features and security enhancements for store owners.<\/p>\n\n\n\n

However, the Content Security Policy<\/a> that is introduced as a part of Magento 2 security improvements troubled many store owners with console error messages or content security policy warnings<\/a>.<\/p>\n\n\n\n

You\u2019d only know this if you have already upgraded to latest Magento 2<\/a> version. If not, download Magento 2.4.6<\/a> NOW!<\/p>\n\n\n\n

We\u2019ll go through the entire topic and everything related to the<\/p>\n\n\n\n

Magento 2 content security policy in this post.<\/p>\n\n\n\n

CSP is implemented in Magento 2.3.5<\/a> with an aim to offer an additional layer of defence to detect and mitigate the Cross-Site Scripting and its related data injection attacks.<\/p>\n\n\n\n

Content Security Policy works in two modes:<\/p>\n\n\n\n

    \n
  1. report \u2013 only<\/strong>\u00a0\u2013 Magento reports the policy violations but does not act upon them. It is mainly used for debugging. CSP works in this mode by default.<\/li>\n\n\n\n
  2. restrict mode<\/strong> \u2013 Magento acts in the case of policy violations.<\/li>\n<\/ol>\n\n\n\n

    Everything looks glorious when reading about what content security policies can do!<\/p>\n\n\n\n

    But the reality hit me hard.<\/p>\n\n\n\n

    And so will you.<\/p>\n\n\n\n

    This is why you would want to\u00a0disable Magento 2 Content Security Policy,\u00a0<\/strong><\/em>and the post shows you how.<\/p>\n\n\n\n

    The problem that we are trying to solve with Magento 2 Content Security Policy:<\/h2>\n\n\n\n

    Unethical elements that try to invade the Magento 2 store have an eye on your customers\u2019 sensitive data. The most discussed security issue currently is \u201cMagecart<\/a>\u201d<\/p>\n\n\n\n

    Magecart attack is where malicious hackers target online shopping carts to steal the customers\u2019 payment information. It is a supply chain attack that has been active since 2016.<\/p>\n\n\n\n

    A Magecart hacker embeds a piece of JavaScript code, either by altering the Magento 2 source code or by redirecting the shopping cart using an injection to a website that hosts the malware.<\/p>\n\n\n\n

    If the hackers get access to your Magento 2 (Adobe Commerce) admin panel somehow, they can add benign tags using the Miscellaneous HTML feature of Magento to inject the malicious code.<\/p>\n\n\n\n

    This is the problem that Magento 2.3.5 CSP intends to solve!<\/p>\n\n\n\n

    Why is Magento 2.3.5 Content Security Policy not enough to stop Magecart or similar attacks:<\/h2>\n\n\n\n

    CSP cannot be implemented to its full potential due to Magento\u2019s frontend JavaScript.<\/p>\n\n\n\n

    Talking about inline JavaScript, Magento needs to allow the \u201cunsafe-inline\u201d as inline JS is used massively throughout the platform. Now that\u2019s what the attackers are looking for, i.e., an inline\u00a0<script><\/code>\u00a0tag and Magento offers it out of compulsion!<\/p>\n\n\n\n

    Apart from this, another obstacle is unsafe-eval, which cannot be disabled. According to the\u00a0Magento 2 CSP Architectural Design Document<\/a><\/strong>,<\/p>\n\n\n\n

    \u201cTo allow merchants to use whitelisting with\u00a0hash,\u00a0we have to get rid of event handlers provided via HTML attributes and style attributes in our templates. There is no way to disable\u00a0unsafe-eval<\/code>\u00a0right now since we use it for UI components and some of the front-end libraries we employ need it (like jQuery). A strategy must be created to remove\u00a0eval()<\/code>\u00a0usage from UI components.\u201d<\/em><\/p>\n\n\n\n

    The content security policy implements the whitelist approach, i.e., the core functionalities work well with whitelisted domains only. The developers can use the extensible framework to whitelist any additional domains.<\/p>\n\n\n\n

    However, it is already noted in the part that the majority of whitelist CSPs can be bypassed, as it has JSONP endpoints that can be used inappropriately.<\/p>\n\n\n\n

    According to Google research<\/a>, 95% of CSP policies can easily be bypassed!<\/p>\n\n\n\n

    What to do now with Magento 2.3.5 CSP?<\/h2>\n\n\n\n

    The traditional method is to check the entire CMS content of the checkout page periodically against the original authenticated copy. Any changes found can be either from your team or an ethical source, or else your store has been attacked!<\/p>\n\n\n\n

    But for now, I am posting the method to disable Magento 2 CSP.<\/strong><\/em><\/p>\n\n\n\n

    Method to disable Magento 2 Content Security Policy:<\/h2>\n\n\n\n

    Disable the Magento_Csp<\/code> module using the below command:<\/p>\n\n\n\n

    php bin\/magento module:disable Magento_Csp<\/code><\/pre>\n\n\n\n
    That\u2019s it.<\/p>\n\n\n\n
    Also, I\u2019d be grateful if you could help me spread the word about the post via social media.<\/p>\n\n\n\n
    Thank you.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Magento 2\u00a0consistently strives to offer a secure platform for online businesses, and every Magento 2 release is a source of security enhancements and performance improvements….<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[34],"tags":[],"class_list":["post-1114","post","type-post","status-publish","format-standard","hentry","category-magento"],"acf":[],"_links":{"self":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/comments?post=1114"}],"version-history":[{"count":8,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1114\/revisions"}],"predecessor-version":[{"id":26364,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1114\/revisions\/26364"}],"wp:attachment":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/media?parent=1114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/categories?post=1114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/tags?post=1114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}