SVG XSS Protection

The Shopware Security Update 10/2021 refers to a possible cross-site scripting (XSS) vulnerability based on SVG graphics. If SVG graphics from third-party providers are loaded into your own online store, the SVG graphics can be manipulated so that possible malicious code can be executed.

When using the creoline CDN, SVG graphics are automatically delivered with the necessary 'Content-Security-Policy' header so that cross-site scripting (XSS) within the SVG graphic is prevented.

CDN Example Request:



Content-Type image/svg+xml
Content-Length 3087
Server creoline
Cache-Control max-age=31536000, public


Content-Security-Policy script-src 'none'


x-edge-pop FRANKFURT
x-cache HIT

All requests of content type image/svg or image/svg+xml are automatically supplemented with the Content-Security-Policy header so that your online store is automatically protected.

Additional measures

If you deliver SVG graphics independently of the creoline CDN on your website, the 'Content-Security-Policy' header should also be set for all SVG files.

Apache web server

# .htaccess

<IfModule mod_headers.c>
    <FilesMatch "\.(?i:svg)$">
        Header set Content-Security-Policy "script-src 'none'"

nginx web server

# nginx.conf (/etc/nginx/conf.d/*.conf)

location ~* ^.+\.svg$ {
    add_header Content-Security-Policy "script-src 'none'";