Spindl
  • 👋Overview
    • Introduction
    • Attribution
    • Privacy
  • Your Spindl app setup
    • Managing team members
  • 🪄Features
    • 📈Onchain Attribution
      • 📉Plotting attribution
    • 📊Web3-native Analytics
      • Chart Builder
      • Event Selection and Filtering
      • Line Chart
      • Funnel
      • Cohort Retention
      • Sankey Diagram
      • Big Numbers
      • Pies and Donuts
    • 🧍‍♂️Audiences
      • Creating an audience
    • 🔗Short Links
      • 🖇️Custom Domains
    • 🤝Referrals
      • Management and reporting
      • ⏩Quick Start
      • ⛓️Technical Details
  • ⚙️Techncial
    • ⏩Start Here
    • Google GTM Guide
    • Javascript SDK / HTML Script Guide
      • ➡️Install
      • ➡️Wallet Connects
      • ➡️Page Views
      • ➡️Custom Events
      • ✅Verify That Events Are Sent Correctly
      • React, Next.js & Html Examples
      • Setup a Reverse Proxy
        • Using Next.js
        • Using Cloudflare Workers
        • Netlify
      • ➡️Referrals
      • Default vs Lite SDK Versions
      • Security
    • API
      • ➡️Short Links
      • ➡️Custom Events API
      • Data Exports
    • Android SDK
    • iOS (Swift) SDK
    • On-Chain
      • ➡️Rewards
  • Contact Spindl
  • Ads
    • ⏩Start Here
    • 📢Creative Specifications
      • Web Banner Ads
      • Discord Embeds
Powered by GitBook
On this page
  • NPM library
  • Pin to Exact Version
  • Script library
  • Include Integrity Hash
  • Download the Script & Host Internally
  • Internal Best Development Practices
  1. Techncial
  2. Javascript SDK / HTML Script Guide

Security

PreviousDefault vs Lite SDK VersionsNextAPI

Last updated 4 months ago

Security for our Javascript SDK is top of mind given the potential downstream effects that are possible if things were to go wrong. Here are the ways we work together with clients to greatly reduce likelihood of anything terrible happening

NPM library

Pin to Exact Version

  • Pin the spindl sdk npm dependency to an . This way, even if our npm account gets hijacked and a malicious minor patch version is released to npm registry, you will not get the updated malicious version. You can do this in the following ways:

    • yarn add --exact @spindl-xyz/attribution@1.8.1

    • npm i --save-exact @spindl-xyz/attribution@1.8.1

If you want to take a look and audit the sdk code yourself, feel free to reach out to us and we will provide access.

Script library

Include Integrity Hash

Our Script Installation include an integrity hash that must be added to the script to ensure top security. In the scenario that if our AWS account somehow gets hacked and malicious script is added to our S3 bucket, the verification will fail because the hash differs from the hash that that would be generated by the malicious code. Below is an example:

<script
      async
      data-key="ADD_sdkKey_HERE"
      data-name="spindl-sdk"
      integrity="sha512-tnVaWexFbVZtEVlUBUMiWPwusxycBB3aDONgxC2zjX4CE0Tleo0zoLyI/JA6svx9SumV3KHGtAiD1mDrR+TpPg=="
      src="https://cdn.spindl.xyz/attribution-1-8-1.js"
      crossorigin="anonymous"
></script>

Download the Script & Host Internally

<script
      async
      data-key="ADD_sdkKey_HERE"
      data-name="spindl-sdk"
      src="../location/of-local-spindl-script.js"
      crossorigin="anonymous"
></script>

Internal Best Development Practices

  1. Our SDK does not have any production npm dependencies and we have 0 known vulnerabilities on our dev dependencies when we run npm audit

  2. We have multi factor auth on the important aspects that touch the browser SDK

If you want extra security, you can download the code from our script url (i.e. ), host the script yourself locally and reference it in the script tag. This way you're not relying on our AWS S3 bucket or npm hosting registry.

⚙️
https://cdn.spindl.xyz/attribution-1-6-0.js
exact version
subresouce integrity
instruction