With the Form-API, you can design highly customized single- or multi-step donation forms for your website using just HTML and JavaScript—no server-side programming required.
To ensure both functionality and security, we recommend configuring a Content Security Policy (CSP)—a browser-level security mechanism that restricts which resources (scripts, styles, iframes, etc.) can be loaded by your page.
A properly defined CSP helps prevent cross-site scripting (XSS) and other injection attacks by allowing only trusted content to execute. Since Form-API may integrate with third-party payment providers like Stripe, PayPal, and Micropayment, your CSP must explicitly allow content and connections to these platforms to ensure seamless form rendering and payment processing.
This guide outlines the necessary CSP directives to support Form-API and its supported payment gateways, helping you strike the right balance between security and usability.
Below are the recommended CSP directives needed to support Form-API and its supported payment providers:
| Directive | Value |
|---|---|
base-uri | 'self' |
default-src | 'self' |
connect-src | https://secure.fundraisingbox.com https://api.stripe.com https://www.paypal.com https://www.sandbox.paypal.com |
frame-src | https://secure.fundraisingbox.com https://*.js.stripe.com https://js.stripe.com https://hooks.stripe.com https://www.paypal.com https://www.sandbox.paypal.com https://sipg.micropayment.de |
img-src | data: https://secure.fundraisingbox.com |
script-src | https://secure.fundraisingbox.com https://*.js.stripe.com https://js.stripe.com https://www.paypal.com https://www.sandbox.paypal.com https://sipg.micropayment.de |
style-src | https://secure.fundraisingbox.com |
Tip
Always test your CSP headers in a staging environment before deploying to production to avoid blocking necessary resources.