Security
Security for our Javascript SDK is top of mind given the potential downstream effects that are possible if things were to go wrong. Here are the ways we work together with clients to greatly reduce likelihood of anything terrible happening
NPM library
Pin to Exact Version
Pin the spindl sdk npm dependency to an exact version. This way, even if our npm account gets hijacked and a malicious minor patch version is released to npm registry, you will not get the updated malicious version. You can do this in the following ways:
yarn add --exact @spindl-xyz/attribution@1.6.1npm i --save-exact @spindl-xyz/attribution@1.6.1
If you want to take a look and audit the sdk code yourself, feel free to reach out to us and we will provide access.
Script library
Include Integrity Hash
Our Script Installation instruction include an integrity hash that must be added to the script to ensure top security. In the scenario that if our AWS account somehow gets hacked and malicious script is added to our S3 bucket, the subresouce integrity verification will fail because the hash differs from the hash that that would be generated by the malicious code. Below is an example:
Download the Script & Host Internally
If you want extra security, you can download the code from our script url (i.e. https://cdn.spindl.xyz/attribution-1-6-0.js), host the script yourself locally and reference it in the script tag. This way you're not relying on our AWS S3 bucket or npm hosting registry.
Internal Best Development Practices
Our SDK does not have any production npm dependencies and we have 0 known vulnerabilities on our dev dependencies when we run
npm auditWe have multi factor auth on the important aspects that touch the browser SDK
Last updated