Verifying JS Integrity

Yesterday, a CDN was hacked and malicious JS was served to a number of domains. Most websites make use of CDNs to serve up JS so as to reduce page load time. How do we protect ourselves from such attacks?

I posed a similar question on Sec.SE some time back. Subresource Integrity is a new security feature that will save you. The code will not execute if there is a hash mismatch. Just don't use this on rolling releases that reuse the same URLs.

1
2
3
    <script src="https://example.com/example-framework.js"
    integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7"
    crossorigin="anonymous"></script>


Tags: Coding, Security

Similar Articles

Verifying JS Integrity - Yesterday, a CDN was hacked and malicious JS was served to a number of domains. Most websites make use of CDNs to serve up JS so as to reduce page load time. How do we protect ourselves from such ...
Web Development in Singapore - In light of the recent fiasco over the NDP website, I thought it would be apt for me to share my thoughts on how I believe web development in Singapore has ended up in this dismal state today. ...
Analysing smali code - Mobile apps have become increasingly widespread compared to their desktop counterparts. In addition, many apps often have stricter security requirements since they incorporate micropayments. We ...
Adding hostnames or PTR records to piwik - If you are using piwik and desire to know exactly where your website visitors come from, this hack will allow you to display the hostname or PTR record beside the IP addresses on the piwik ...