> For the complete documentation index, see [llms.txt](https://docs.spindl.xyz/spindl/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.spindl.xyz/spindl/techncial/javascript-sdk-html-script-guide/security.md).

# Security

Security for our Javascript SDK is top of mind given the potential downstream effects that are possible if things were to go wrong. Here are the ways we work together with clients to greatly reduce likelihood of anything terrible happening

## NPM library

### Pin to Exact Version

* Pin the spindl sdk npm dependency to an [exact version](https://docs.npmjs.com/cli/v8/commands/npm-install#save-exact). This way, even if our npm account gets hijacked and a malicious minor patch version is released to npm registry, you will not get the updated malicious version. You can do this in the following ways:
  *  `yarn add --exact @spindl-xyz/attribution@1.8.1`
  * `npm i --save-exact @spindl-xyz/attribution@1.8.1`

If you want to take a look and audit the sdk code yourself, feel free to reach out to us and we will provide access.

## Script library

### Include Integrity Hash

Our Script Installation [instruction](/spindl/techncial/javascript-sdk-html-script-guide/install.md#installation-via-script-cdn) include an integrity hash that must be added to the script to ensure top security. In the scenario that if our AWS account somehow gets hacked and malicious script is added to our S3 bucket, the [subresouce integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) verification will fail because the hash differs from the hash that that would be generated by the malicious code. Below is an example:

```markup
<script
      async
      data-key="ADD_sdkKey_HERE"
      data-name="spindl-sdk"
      integrity="sha512-tnVaWexFbVZtEVlUBUMiWPwusxycBB3aDONgxC2zjX4CE0Tleo0zoLyI/JA6svx9SumV3KHGtAiD1mDrR+TpPg=="
      src="https://cdn.spindl.xyz/attribution-1-8-1.js"
      crossorigin="anonymous"
></script>
```

### Download the Script & Host Internally

If you want extra security, you can download the code from our script url (i.e. <https://cdn.spindl.xyz/attribution-1-6-0.js>), host the script yourself locally and reference it in the script tag. This way you're not relying on our AWS S3 bucket or npm hosting registry.

```markup
<script
      async
      data-key="ADD_sdkKey_HERE"
      data-name="spindl-sdk"
      src="../location/of-local-spindl-script.js"
      crossorigin="anonymous"
></script>
```

## Internal Best Development Practices

1. Our SDK does not have any production npm dependencies and we have 0 known vulnerabilities on our dev dependencies when we run `npm audit`
2. We have multi factor auth on the important aspects that touch the browser SDK


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.spindl.xyz/spindl/techncial/javascript-sdk-html-script-guide/security.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.