Skip to content

security: add SRI hash to Redoc CDN script tag#43

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/elegant-edison-8s1yqm
Open

security: add SRI hash to Redoc CDN script tag#43
dmchaledev wants to merge 1 commit into
mainfrom
claude/elegant-edison-8s1yqm

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

  • docs/index.html loads Redoc from jsdelivr (https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js) with no Subresource Integrity (SRI) check.
  • Pinning the version alone (done in a prior PR) protects against upstream package changes, but not against a compromised CDN edge or a MITM serving different bytes under the same URL — the browser has no way to detect tampering without a hash.
  • This is a public-facing docs site (GitHub Pages), so a compromised script here would run in every visitor's browser.
  • Added a sha384 integrity attribute plus crossorigin="anonymous" (required by the SRI spec for cross-origin script loads) to the Redoc <script> tag.

The hash was independently computed from the fetched file (openssl dgst -sha384) and cross-checked against jsdelivr's own published SHA-256 hash for redoc@2.5.3/bundles/redoc.standalone.js via https://data.jsdelivr.com/v1/packages/npm/redoc@2.5.3 — both match the file currently served.

Test plan

  • Verified the computed SRI hash matches the file jsdelivr currently serves for the pinned version
  • After merge, confirm the GitHub Pages docs site (hailbytes.github.io/hailbytes-api-docs) still renders both the ASM and SAT specs correctly (SRI mismatches fail closed and would blank the page)

🤖 Generated with Claude Code

https://claude.ai/code/session_015FbybmH3LzX8CbuzGtqUAK


Generated by Claude Code

The public-facing docs page loads redoc.standalone.js from jsdelivr with
no subresource integrity check. Pinning the version alone doesn't protect
against a compromised CDN or MITM serving different bytes under the same
URL; the browser needs a hash to verify. Added a sha384 integrity
attribute (verified against jsdelivr's own published hash for
redoc@2.5.3) plus crossorigin="anonymous", which SRI requires for
cross-origin script loads.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015FbybmH3LzX8CbuzGtqUAK
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants