Security

Security for our Javascript SDK is top of mind given the potential downstream effects that are possible if things were to go wrong. Here are the ways we work together with clients to greatly reduce likelihood of anything terrible happening

NPM library

Pin to Exact Version

  • Pin the spindl sdk npm dependency to an exact version. This way, even if our npm account gets hijacked and a malicious minor patch version is released to npm registry, you will not get the updated malicious version. You can do this in the following ways:

    • yarn add --exact @spindl-xyz/attribution@1.8.0

    • npm i --save-exact @spindl-xyz/attribution@1.8.0

If you want to take a look and audit the sdk code yourself, feel free to reach out to us and we will provide access.

Script library

Include Integrity Hash

Our Script Installation instruction include an integrity hash that must be added to the script to ensure top security. In the scenario that if our AWS account somehow gets hacked and malicious script is added to our S3 bucket, the subresouce integrity verification will fail because the hash differs from the hash that that would be generated by the malicious code. Below is an example:

<script
      async
      data-key="ADD_sdkKey_HERE"
      data-name="spindl-sdk"
      integrity="sha512-nEy61Atn8YFWPQFxTDLYnpjvMX/tPv7lk1TKpJF6/WfelN251McM7QhFD9i+AW9mY0Ez+5Y3n2fhn9Xk7ZC+ww=="
      src="https://cdn.spindl.xyz/attribution-1-8-0.js"
      crossorigin="anonymous"
></script>

Download the Script & Host Internally

If you want extra security, you can download the code from our script url (i.e. https://cdn.spindl.xyz/attribution-1-6-0.js), host the script yourself locally and reference it in the script tag. This way you're not relying on our AWS S3 bucket or npm hosting registry.

<script
      async
      data-key="ADD_sdkKey_HERE"
      data-name="spindl-sdk"
      src="../location/of-local-spindl-script.js"
      crossorigin="anonymous"
></script>

Internal Best Development Practices

  1. Our SDK does not have any production npm dependencies and we have 0 known vulnerabilities on our dev dependencies when we run npm audit

  2. We have multi factor auth on the important aspects that touch the browser SDK

Last updated