Wednesday, August 31, 2016

Web Developers Add this to your Script Tags

Troy Hunt wrote a great article on Web Subresource Integrity (SRI). As an example notice this script tag, where you're pulling the jquery library from a CDN so that you don't have to host it yourself, and to gain the browser caching performance benefits since the user probably already has it cached anyways.

<script src="//" integrity="sha384-I6F5OKECLVtK/BL+8iSLDEHowSAfUo76ZL9+kGAgTRdiByINKJaqTPH/QVNS1VDb" crossorigin="anonymous"></script>

Notice the extra fields in red that you may not normally be used to adding/seeing. If you're a web developer you really want to consider adding these. Why?

The integrity attribute means that when the browser loads jQuery from CloudFlare it's going to calculate the hash of the file (a base64-encoded SHA384 hash in this case per the prefix in the attribute), compare it to the one described on the script tag and then only run it if it checks out. Thus if the CDN has been hacked or somehow your browser is getting a Man-in-the-middled modified version of the file, if the hashes don't match, it won't run it.

The crossorigin attribute is set to anonymous to ensure no creds or identity info is sent with the request (i.e. basic auth or an auth cookie)

Good simple stuff to add and increase the security on your site.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment