by Source Defense
Content Security Policy (CSP) is often cited as a reliable cornerstone of modern web security. In theory, it gives organizations a powerful mechanism to restrict what code can run in the browser and where it can be loaded from. In practice, however, CSP routinely fails to deliver meaningful protection against real-world threats – particularly eSkimming.
The problem is not that CSP is poorly designed. The problem is that it was created for a web that no longer exists.
Enterprise websites today are dynamic, highly personalized, and deeply dependent on third-party services. CSP, by contrast, is a static control that assumes predictability. That mismatch is where most deployments begin to unravel.
The Operational Reality of CSP at Scale
In controlled environments, CSP can be effective. But at enterprise scale, security teams quickly encounter friction. Legitimate functionality often breaks under strict policies, forcing teams to loosen restrictions just to keep the business running.
Over time, CSP policies tend to expand to accommodate:
- Marketing and advertising platforms
- Analytics and experimentation tools
- Personalization engines
- Customer support widgets
- Third-party APIs and CDNs
- Inline scripts required by frameworks
Each exception weakens the policy. Eventually, CSP becomes permissive enough that it provides little real security value while still creating operational complexity.
Trusted Domains Are the Achilles’ Heel
CSP’s most fundamental limitation is that it cannot distinguish between benign and malicious behavior originating from an allowed source. If a domain is trusted, everything it serves is trusted as well.
This becomes dangerous in a supply-chain-driven web. When attackers compromise a third-party vendor – or inject malicious logic into an existing script – CSP offers no protection. The browser sees valid code coming from an approved source and allows it to execute freely.
From an attacker’s perspective, this is ideal. Rather than fighting CSP, they simply operate within it.
Maintenance Is Constant—and Unsustainable
CSP is not a “set and forget” control. Policies must be continuously updated as scripts change, vendors add features, and websites evolve. In large organizations, this maintenance burden becomes a full-time job.
Security teams often rely on developers to manage CSP updates, but developers lack visibility into runtime script behavior. The result is a reactive process where policies are adjusted only after something breaks – often at the expense of security.
The False Sense of Security
Perhaps the most dangerous aspect of CSP is psychological. Organizations believe they are protected because a policy exists. Meanwhile, attackers operate freely through trusted scripts, and data is exposed in ways CSP was never designed to prevent.
CSP still has a role to play, but it cannot be the primary defense against client-side threats. Real-world protection requires visibility into behavior, not just origin.
The Better Approach: Behavioral Controls
To defend against modern eSkimming, organizations must look beyond source-level restrictions. The solution is to monitor what scripts do, not where they come from.
Behavior-based controls focus on:
- Detecting unauthorized data access
- Blocking form interceptions
- Preventing DOM manipulation
- Stopping unauthorized network calls
- Enforcing least-privilege script policies
- Isolating untrusted scripts from sensitive user interactions
Instead of assuming a script is safe because of its origin or integrity at load time, behavioral systems continuously evaluate the script’s actions.
Source Defense is the pioneer in behavioral based script control and eSkimming prevention. Our solution is trusted the world over by the most demanding of merchants, by the card associations themselves and by an ever growing list of payment ecosystem partners. Learn more about our approach – request a demo today!
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.