Why CSP is Critical for Crypto Payments
An XSS attack on a crypto payment page can replace your deposit address with an attacker's address. Unlike card fraud, this is irreversible — funds sent to the wrong address are gone forever.
Recommended CSP Header
Content-Security-Policy:
default-src 'none';
script-src 'self' 'nonce-{RANDOM_NONCE}';
style-src 'self' 'nonce-{RANDOM_NONCE}';
img-src 'self' data: https://cdn.paychainly.com;
connect-src 'self' https://api.paychainly.com wss://api.paychainly.com;
font-src 'self';
form-action 'self';
frame-ancestors 'none';
base-uri 'self';Nonce Implementation in Next.js
// middleware.ts
import { NextResponse } from 'next/server';
import crypto from 'crypto';
export function middleware(request) {
const nonce = crypto.randomBytes(16).toString('base64');
const csp = `script-src 'self' 'nonce-${nonce}'; ...`;
const headers = new Headers(request.headers);
headers.set('x-nonce', nonce);
const response = NextResponse.next({ request: { headers } });
response.headers.set('Content-Security-Policy', csp);
return response;
}Additional Headers
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()Subresource Integrity for CDN Assets
<script
src="https://cdn.paychainly.com/widget.js"
integrity="sha384-..."
crossorigin="anonymous"></script>Always use SRI hashes for third-party scripts on payment pages — a compromised CDN without SRI can inject address-swapping code.