Monday, October 3, 2016

how to perform a integrity check for external hosted javascript libraries

if your applications loads external hosted javascript files  there is always the risk that the javascript gets changed and turns evil ;)

to avoid that, some new browsers support the integrity feature which allows you to build a hash from the library which will be checked by the browser. if the comparison of the hash in your page and the browser build hash fails, the browser shows a violation it the console instead of loading the library. this may cause your application not working, but may help to stay secure ;)

before using that you must ensure that the hoster of the javascript file does not regulary change it, tehre should always be a detail version numer inside the path.

currently supported browsers are

add integrity hash for your application when loading a library:

create hash with curl & openssl (hopefully before it turns evil ;) )
error in browser console if verification fails