Skip to content
Permalink
Browse files

Guides: Subresurce Integrity

  • Loading branch information...
jodosha committed Jul 20, 2016
1 parent f1938de commit 0009b8a04f279c97f0fd9c81a1ab4e1145b34141
Showing with 72 additions and 0 deletions.
  1. +72 −0 source/guides/assets/content-delivery-network.md
@@ -44,3 +44,75 @@ Once _CDN mode_ is on, all the [asset helpers](/guides/helpers/assets) will retu
```html
<link href="https://123.cloudfront.net/assets/application-9ab4d1f57027f0d40738ab8ab70aba86.css" type="text/css" rel="stylesheet">
```

## Subresurce Integrity

A CDN can dramatically improve page speed, but it can potentially open a security breach.
If the CDN that we're using is compromised and serves evil javascript files, we're exposing our users to security attacks like Cross Site Scripting (XSS).

To solve this problem browsers vendor introduced a defense called [Subresurce Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity).

When enabled, the browser verifies that the checksum of the downloaded file, matches with the declared one.

### From A CDN

If we're using jQuery from their CDN we should check on their website what's the checksum of the `.js` file and write:

```erb
<%= javascript 'https://code.jquery.com/jquery-3.1.0.min.js', integrity: 'sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=' %>
```

The output will be:

```html
<script integrity="sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=" src="https://code.jquery.com/jquery-3.1.0.min.js" type="text/javascript" crossorigin="anonymous"></script>
```

### Local Assets

The security problem described above doesn't concern only CDNs, but local files too.
Imagine we have a compromised file system and someone was able to replace our javascripts with evil files: we would be vulnerable to the same kind of attack.

As a defense against this security problem, Hanami **enables Subresurce Integrity by default in production.**
When we [precompile the assets](/guides/command-line/assets) at the deploy time, Hanami calculates the checksum of all our assets and it adds a special HTML attribute `integrity` to our asset tags like `<script>`.

```erb
<%= javascript 'application' %>
```

```html
<script src="/assets/application-92cab02f6d2d51253880cd98d91f1d0e.js" type="text/javascript" integrity="sha256-WB2pRuy8LdgAZ0aiFxLN8DdfRjKJTc4P4xuEw31iilM=" crossorigin="anonymous"></script>
```

### Settings

To turn off this feature, or to configure it, please have a look at the `production` block in `apps/web/application.rb`

```ruby
module Web
class Application < Hanami::Application
configure :production do
assets do
# ...
subresource_integrity :sha256
end
end
end
end
```

By removing or commenting that line, the feature is turned off.

We can choose one or more checksum algorithms:

```ruby
subresource_integrity :sha256, :sha512
```

With this setting, Hanami will render `integrity` HTML attribute with two values: one for `SHA256` and one for `SHA512`.

```html
<script src="/assets/application-92cab02f6d2d51253880cd98d91f1d0e.js" type="text/javascript" integrity="sha256-WB2pRuy8LdgAZ0aiFxLN8DdfRjKJTc4P4xuEw31iilM= sha512-4gegSER1uqxBvmlb/O9CJypUpRWR49SniwUjOcK2jifCRjFptwGKplFWGlGJ1yms+nSlkjpNCS/Lk9GoKI1Kew==" crossorigin="anonymous"></script>
```

**Please note** that checksum calculations are CPU expensive, so the `subresource_integrity` setting would affect the elapsed time of _assets precompiling_ and so of your deploy. We suggest to leave the default `:sha256` setting.

0 comments on commit 0009b8a

Please sign in to comment.
You can’t perform that action at this time.