Security on Pre-built UI
We leverage modern browser security headers to help ensure that our pre-built UI content is only rendered on the sites of trusted customers. As such we require you to provide your domain information (hostnames) as part of the onboarding process to ensure that our payment gateway gets rendered correctly
Security Headers
Security headers are a group of headers in the HTTP response from a server that tells your browser how to behave when handling your site’s content. The following is a list of each header we’ll be implementing with a link to more information.
| Security header | Description |
|---|---|
| X-Frame-Options | to indicate whether or not a browser should be allowed to render a page in a , , or . For example: X-Frame-Options: DENY |
| Strict Transport Security | lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. For example: Strict-Transport-Security: max-age=63072000; includeSubdomains; preload |
| Content-Security-Policy: | allows web site administrators to control resources the user agent is allowed to load for a given page. For example: Content-Security-Policy: frame-ancestors 'self' http://example.com; default-src 'none'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none' |
| X-XSS-Protection | stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. For Example: X-XSS-Protection: 1; mode=block |
| Referrer-Policy | controls how much referrer information (sent via the Referer header) should be included with requests. For example: Referrer-Policy: same-origin |
| X-Content-Type-Options | indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. For example: X-Content-Type-Options: nosniff |
X-Frame Options and CSP is whitelisted to only allow the specific pages that need to view the webpage.
Examples
Successful response with a whitelisted domain
HTTP/2 200
content-type: text/html
content-length: 2316
date: Mon, 10 May 2021 23:43:56 GMT
last-modified: Mon, 10 May 2021 14:15:33 GMT
x-amz-expiration: expiry-date="Mon, 09 Aug 2021 00:00:00 GMT", rule-id="RemoveOld"
etag: "f784f581434c808b4a832cf632968920"
x-amz-server-side-encryption: AES256
x-amz-version-id: null
accept-ranges: bytes
server: AmazonS3
x-content-type-options: nosniff
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-xss-protection: 1; mode=block
referrer-policy: same-origin
x-frame-options: ALLOWALL
content-security-policy: frame-ancestors 'self' https://example.com; default-src 'none'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'
vary: Accept-Encoding
x-cache: Hit from cloudfront
via: 1.1 0d9967d47f7c7fae8db89ba489f42356.cloudfront.net (CloudFront)
x-amz-cf-pop: MEL50-C2
x-amz-cf-id: TZK0_IATgASzs_SHaP4gAk1MHKIflBRBrdsG4arlw7_uNLWVi5f6dA==
age: 10926
Failed response with a not-whitelisted domain
HTTP/2 404
content-type: text/html
content-length: 702
server: CloudFront
date: Tue, 11 May 2021 02:48:16 GMT
x-content-type-options: nosniff
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-xss-protection: 1; mode=block
referrer-policy: same-origin
x-frame-options: DENY
content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'
x-cache: Error from cloudfront
via: 1.1 a57d5b106eeca2cda8fd1ae27bc6a7d3.cloudfront.net (CloudFront)
x-amz-cf-pop: MEL50-C2
x-amz-cf-id: bO-euCC1_w2dS_8itfetF9H3GMQ_nJexOpeEp94DNje02E4WAO6juQ==
Updated over 1 year ago