search

Security

Security for our Javascript SDK is top of mind given the potential downstream effects that are possible if things were to go wrong. Here are the ways we work together with clients to greatly reduce likelihood of anything terrible happening

hashtag
NPM library

hashtag
Pin to Exact Version

  • Pin the spindl sdk npm dependency to an exact versionarrow-up-right. This way, even if our npm account gets hijacked and a malicious minor patch version is released to npm registry, you will not get the updated malicious version. You can do this in the following ways:

If you want to take a look and audit the sdk code yourself, feel free to reach out to us and we will provide access.

hashtag
Script library

hashtag
Include Integrity Hash

Our Script Installation instruction include an integrity hash that must be added to the script to ensure top security. In the scenario that if our AWS account somehow gets hacked and malicious script is added to our S3 bucket, the subresouce integrityarrow-up-right verification will fail because the hash differs from the hash that that would be generated by the malicious code. Below is an example:

<script
      async
      data-key="ADD_sdkKey_HERE"
      data-name="spindl-sdk"
      integrity="sha512-tnVaWexFbVZtEVlUBUMiWPwusxycBB3aDONgxC2zjX4CE0Tleo0zoLyI/JA6svx9SumV3KHGtAiD1mDrR+TpPg=="
      src="https://cdn.spindl.xyz/attribution-1-8-1.js"
      crossorigin="anonymous"
></script>

hashtag
Download the Script & Host Internally

If you want extra security, you can download the code from our script url (i.e. https://cdn.spindl.xyz/attribution-1-6-0.jsarrow-up-right), host the script yourself locally and reference it in the script tag. This way you're not relying on our AWS S3 bucket or npm hosting registry.

hashtag
Internal Best Development Practices

  1. Our SDK does not have any production npm dependencies and we have 0 known vulnerabilities on our dev dependencies when we run npm audit

  2. We have multi factor auth on the important aspects that touch the browser SDK

PreviousDefault vs Lite SDK VersionsNextAPI

Last updated