Content Security Policy (CSP) in Beacon Code

  • Updated

While the security risk of Act-On's Beacon Code is minimal (it sends a ping to our servers to register page visits & supported browsers include protection against malicious javascript), you can prevent untrusted code from being run in the Beacon Code by using a content security policy (CSP) and a signature to prove the script hasn't been modified.

The Basics

Javascript lets you embed small programs into web pages. Most of the interactivity you see in web pages is done via JavaScript. When JavaScript is embedded in a page, the code it runs executes on the client computer & it may have access to sensitive information. That can introduce vulnerabilities; either if the script is modified or a new version is injected through another route. To prevent this, you can use a content security policy and a signature to prove the script hasn't been modified.

Types of CSP to Implement

Hash (Secure Hash Algorithms - SHA)

Hash takes all of the content in a given string and runs it through a mathematical function, producing a large number. If anything at all changes in the input, the output will be very different - so if the script is changed, the hash won't work.

  • Learn more from the CSP reference (external site).

Cryptographic Nonce

Nonce is similar to Hash, but it gets a different signature from the server each time. If you need to update your scripts often, nonce is preferred.

  • Learn more from the CSP reference (external site).

Help With CSP Implementation

If you need help implementing a CSP in your Beacon Code, please contact support

Was this article helpful?

Have more questions? Submit a request