I have staged a django blog application on Heroku, everything is working like i should for now, but I have a small question about Missing Subresource Integrity Protection.
I'm pretty new at using heroku addons, but I have setup tinfoil for security, and after the initial scan I have 3 vulnerabilities encountered. Scan results indicate that I'm Missing Subresource Integrity Protection, they have proposed me this:
> All externally loaded resources must have their content pinned using
> the subresource integrity mechanisms provided by modern browsers. This
> involves computing a hash of the contents of the resource, and
> specifying this hash when loading that resource. In the case of a
> script, this might look like the following:
<script src="https://example.com/include.js"
integrity="sha256-Rj/9XDU7F6pNSX8yBddiCIIS+XKDTtdq0//No0MH0AE="
crossorigin="anonymous"></script>
SRI Hash is an option for computing the necessary hashes.
Can someone explain me what this all means so I can learn something out of this, and what to do in the future so I can avoid this kind of situation?
Subresource integrity is a specification that "defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation." It is basically a checksum for your assets, compliant browsers will not load the resource if it does not match the specified integrity value.
This is very easy to add, in Rails, as long as your version of sprockets is 3.x or greater. You can add the check by following the example from the sprockets documentation:
javascript_include_tag :application, integrity: true
# => "<script src="/assets/application.js" integrity="sha256-TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs="></script>"
GitHub Engineering has an interesting blog post, where they discuss the feature at length.