On June 24, 2025, Kasasa’s FIRSTBranch team inadvertently deployed an incomplete Content Security Policy (CSP) update, causing an outage that affected some third-party scripts, including online banking logins, on FIRSTBranch sites. A CSP is a security feature that helps protect against cross-site scripting (XSS) attacks by controlling which scripts are allowed to run. This update used a nonce attribute - a unique, server-generated code - to allow only approved scripts. The premature deployment caused legitimate third-party scripts to be flagged and blocked.
Although the issue was quickly identified, delays in reverting the code extended the outage. A brief recurrence happened on June 25 due to an accidental merge, which was promptly reverted. The CSP implementation is now being thoroughly tested before any future rollout.
Some users may have noticed persistent caching issues even after the problem was addressed; clearing browser cache resolved any lingering issues.
We apologize for the disruption and appreciate your patience. Thank you for your understanding.