HTTPS for secure connections

Pelcro forces HTTPS for all services using TLS (SSL), including but not limited to our public website, the platform, our APIs and CDN.

TLS 1.2+ offers a number of advantages including fast protocol streaming, secure primitives and enhanced speed and efficiency, which is enforced throughout our entire infrastructure, excluding our CDN.

For more technical information, see the best practices outlined in RFC-7525, which highlights the reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1, which are considered insecure.

Content Security Policy

If you have deployed or plan to deploy a CSP on your site, the directives will have to be modified so that your integration with Pelcro remains fully functional. We strongly encourage you to test your CSP against our staging environment before deploying it on your production website.

Below are the minimum required directives.

Directive	Source(s)
`script-src`	`'unsafe-inline'` `https://*.pelcro.com` `https://js.stripe.com`
`style-src`	`'unsafe-inline'`
`connect-src`	`https://*.pelcro.com` `https://api.stripe.com`
`frame-src`	`https://*.pelcro.com` `https://js.stripe.com` `https://hooks.stripe.com`
`img-src`	`https://*.pelcro.com`

Content Security Policy for features and integrations

Additional directives are required depending on which features and integrations you enabled with us, such as Google Analytics, Google Tag Manager, PayPal, Google login/register, Facebook login/register or Risk Assessment.

Google Analytics

Directive	Source(s)
`script-src`	`https://www.google-analytics.com`
`connect-src`	`https://www.google-analytics.com`
`img-src`	`https://www.google-analytics.com`

Google Tag Manager

Directive	Source(s)
`script-src`	`https://www.googletagmanager.com`
`img-src`	`www.googletagmanager.com`

PayPal

Directive	Source(s)
`script-src`	`https://.paypal.com` `https://.braintreegateway.com`
`connect-src`	`https://.paypal.com` `https://.braintreegateway.com` `https://*.braintree-api.com`
`frame-src`	`https://*.paypal.com`

Vantiv

Directive	Source(s)
`frame-src`	`https://request.eprotect.vantivprelive.com`

Google login/register

Directive	Source(s)
`script-src`	`https://www.google.com` `https://www.gstatic.com` `https://apis.google.com`
`frame-src`	`https://www.google.com` `https://accounts.google.com`

Facebook login/register

Directive	Directive
`script-src`	`https://connect.facebook.net` `https://graph.facebook.com` `https://js.facebook.com`
`frame-src`	`*.facebook.com` `connect.facebook.net`
`img-src`	`.facebook.com` `.facebook.net` `*.fbcdn.net`
`connect-src`	`*.facebook.com` `connect.facebook.net`

Auth0 login/register

Directive	Directive
`script-src`	`https://cdn.auth0.com`
`connect-src`	`https://*.auth0.com`

Risk Assessment

Directive	Source(s)
`script-src`	`https://www.google.com` `https://www.gstatic.com`
`frame-src`	`https://www.google.com`
`img-src`	`https://www.gstatic.com` `https://www.google-analytics.com`

There is no policy that fits all website and implementing a good CSP is not trivial. To make your implementation easier, you can use an online generator and we encourage you to validate your CSP header using a tool such as Google's CSP Evaluator. Do not hesitate to contact us if any part of the flow is not working as expected or if you have any questions.