19 lines
908 B
Plaintext
19 lines
908 B
Plaintext
== Recommended Secure Coding Practices
|
|
|
|
To check the integrity of a remote artifact, hash verification is the most
|
|
reliable solution. It does ensure that the file has not been modified since the
|
|
fingerprint was computed.
|
|
|
|
In this case, the artifact's hash must:
|
|
|
|
* Be computed with a secure hash algorithm such as `SHA512`, `SHA384` or `SHA256`.
|
|
* Be compared with a secure hash that was *not* downloaded from the same source.
|
|
|
|
|
|
To do so, the best option is to add the hash in the code explicitly,
|
|
by following https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#tools_for_generating_sri_hashes[Mozilla's official documentation on how to generate integrity strings].
|
|
|
|
*Note: Use this fix together with version binding on the remote file. Avoid
|
|
downloading files named "latest" or similar, so that the front-end pages do not
|
|
break when the code of the latest remote artifact changes.*
|