Overview
We are taking security very seriously. It's our business to keep your business online, and security is a crucial part of this. Learn about security at Pelcro.
HTTPS for secure connections
Pelcro forces HTTPS for all services using TLS (SSL), including but not limited to our public website, the platform, our APIs and CDN.
TLS 1.2+ offers a number of advantages including fast protocol streaming, secure primitives and enhanced speed and efficiency, which is enforced throughout our entire infrastructure, excluding our CDN.
For more technical information, see the best practices outlined in RFC-7525, which highlights the reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1, which are considered insecure.
Content Security Policy
If you have deployed or plan to deploy a CSP on your site, the directives will have to be modified so that your integration with Pelcro remains fully functional. We strongly encourage you to test your CSP against our staging environment before deploying it on your production website.
Below are the minimum required directives.
Directive | Source(s) |
---|---|
|
|
|
|
|
|
|
|
|
|
Content Security Policy for features and integrations
Additional directives are required depending on which features and integrations you enabled with us, such as Google Analytics, Google Tag Manager, PayPal, Google login/register, Facebook login/register or Risk Assessment.
Google Analytics
Directive | Source(s) |
---|---|
|
|
|
|
|
|
Google Tag Manager
Directive | Source(s) |
---|---|
|
|
|
|
PayPal
Directive | Source(s) |
---|---|
|
|
|
|
|
|
Vantiv
Directive | Source(s) |
---|---|
|
|
Google login/register
Directive | Source(s) |
---|---|
|
|
|
|
Facebook login/register
Directive | Directive |
---|---|
|
|
|
|
|
|
|
|
Auth0 login/register
Directive | Directive |
---|---|
|
|
|
|
Risk Assessment
Directive | Source(s) |
---|---|
|
|
|
|
|
|
There is no policy that fits all website and implementing a good CSP is not trivial. To make your implementation easier, you can use an online generator and we encourage you to validate your CSP header using a tool such as Google's CSP Evaluator. Do not hesitate to contact us if any part of the flow is not working as expected or if you have any questions.
Updated about 2 months ago