# Browser-Level Protection

#### Content Security Policy (CSP)

MyBucks.online implements a strict Content Security Policy (CSP) to provide an essential layer of defense against Cross-Site Scripting (XSS) and data injection attacks. This policy instructs your browser to only execute scripts that are explicitly authorized and hosted on our verified domain.

Because our wallet is entirely self-custodial and runs in your local environment, the CSP is configured to block all unauthorized third-party connections. This prevents malicious actors from injecting scripts that could attempt to capture your credentials or exfiltrate sensitive data. By enforcing these restrictions at the browser level, we ensure that the wallet's code remains isolated and secure during your entire session.

Minimizing third-party JavaScript dependencies is a core security baseline for our project, significantly reducing the attack surface for XSS and malicious injections.

#### Actual CSP Header

```
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob: https://cdn.moralis.io https://logo.moralis.io https://assets.coingecko.com https://beaverbuild.com https://opensea.io;
font-src 'self' data:;
connect-src https://*.infura.io https://api.trongrid.io https://deep-index.moralis.io https://api.blockchain.info https://bsc-dataseed.binance.org https://gasstation.polygon.technology;
object-src 'none';
base-uri 'self';
form-action 'self'; 
frame-ancestors 'none';
upgrade-insecure-requests;
```

We have removed '**self**' from the **connect-src** directive in our Content Security Policy (CSP). Since mybucks.online is a fully static, browser-only application with no backend under the same origin, this keyword was unnecessary.

#### Independent Security Verification

We encourage users to independently verify our security configuration using the **Mozilla Observatory**. This is a free, open-source tool provided by Mozilla that scans websites to ensure they follow modern security best practices, such as the correct implementation of **Content Security Policy** (CSP) and secure transport protocols.

By running a scan, you can view our current security grade and confirm that we have strictly restricted resource loading to protect your session. You can perform a live security audit of our domain at any time by visiting the [Mozilla Observatory](https://developer.mozilla.org/en-US/observatory) and entering **app.mybucks.online**.

<br>