Special Cases

Content Security Policy (CSP)

If you're experiencing Content Security Policy (CSP) issues during the 3DS authentication step, we encourage you to use the Content-Security-Policy-Report-Only header before applying any new stricter policies. This allows you to monitor and collect reports of all external 3DS servers accessed during the authentication process, helping you build a comprehensive whitelist.
Read more about it here.

Best Practice:

  • Enable Content-Security-Policy-Report-Only and review the reports generated when users complete 3DS authentication.
  • Maintain a full list of the 3DS servers/domains required for your payment flows.
  • Once you have a complete list, you can safely strengthen your CSP by whitelisting only the necessary domains and switching to an enforced policy.

This approach helps you avoid breaking the 3DS flow for your customers while improving your site's security over time.

Note: EveryPay does not maintain or provide a list of 3DS servers or domains. You are responsible for building and maintaining your own whitelist based on the domains reported by your users' payment flows.

Alternatively, for web implementations, you can use the option redirect: true and isMobile: false in your Payform's initial setup. This will open the 3DS flow in a new browser tab, keeping the authentication process away from your domain and avoiding CSP issues.

everypay.payform({
    redirect: true,
    isMobile: false,
    ...  
   })

Important:

  • This approach may lead to lower successful payment rates, as many browsers can block new tabs or windows.
  • Opening a new tab may also confuse or scare users, causing them to decline or abandon the payment.
Available Callbacks Payform examples