Overview

We are taking security very seriously. It's our business to keep your business online, and security is a crucial part of this. Learn about security at Pelcro.

HTTPS for secure connections

Pelcro forces HTTPS for all services using TLS (SSL), including but not limited to our public website, the platform, our APIs and CDN.

TLS 1.2+ offers a number of advantages including fast protocol streaming, secure primitives and enhanced speed and efficiency, which is enforced throughout our entire infrastructure, excluding our CDN.

For more technical information, see the best practices outlined in RFC-7525, which highlights the reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1, which are considered insecure.

Content Security Policy

If you have deployed or plan to deploy a CSP on your site, the directives will have to be modified so that your integration with Pelcro remains fully functional. We strongly encourage you to test your CSP against our staging environment before deploying it on your production website.

Below are the minimum required directives.

Directive

Source(s)

script-src

'unsafe-inline' https://*.pelcro.com https://js.stripe.com

style-src

'unsafe-inline'

connect-src

https://*.pelcro.com https://api.stripe.com

frame-src

https://*.pelcro.com https://js.stripe.com https://hooks.stripe.com

img-src

https://*.pelcro.com

Content Security Policy for features and integrations

Additional directives are required depending on which features and integrations you enabled with us, such as Google Analytics, Google Tag Manager, PayPal, Google login/register, Facebook login/register or Risk Assessment.

Google Analytics

Directive

Source(s)

script-src

https://www.google-analytics.com

connect-src

https://www.google-analytics.com

img-src

https://www.google-analytics.com

Google Tag Manager

Directive

Source(s)

script-src

https://www.googletagmanager.com

img-src

www.googletagmanager.com

PayPal

Directive

Source(s)

script-src

https://*.paypal.com https://*.braintreegateway.com

connect-src

https://*.paypal.com https://*.braintreegateway.com https://*.braintree-api.com

frame-src

https://*.paypal.com

Vantiv

Directive

Source(s)

frame-src

https://request.eprotect.vantivprelive.com

Google login/register

Directive

Source(s)

script-src

https://www.google.com https://www.gstatic.com https://apis.google.com

frame-src

https://www.google.com https://accounts.google.com

Facebook login/register

Directive

Directive

script-src

https://connect.facebook.net https://graph.facebook.com https://js.facebook.com

frame-src

*.facebook.com connect.facebook.net

img-src

*.facebook.com *.facebook.net *.fbcdn.net

connect-src

*.facebook.com connect.facebook.net

Auth0 login/register

Directive

Directive

script-src

https://cdn.auth0.com

connect-src

https://*.auth0.com

Risk Assessment

Directive

Source(s)

script-src

https://www.google.com https://www.gstatic.com

frame-src

https://www.google.com

img-src

https://www.gstatic.com https://www.google-analytics.com

There is no policy that fits all website and implementing a good CSP is not trivial. To make your implementation easier, you can use an online generator and we encourage you to validate your CSP header using a tool such as Google's CSP Evaluator. Do not hesitate to contact us if any part of the flow is not working as expected or if you have any questions.


Did this page help you?