Skip to content

fix: patch SRI vulnerability detected by SecurityScorecard #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: patch SRI vulnerability detected by SecurityScorecard #68

wants to merge 1 commit into from

Conversation

bpsoraggi
Copy link

@bpsoraggi bpsoraggi commented Aug 4, 2025
edited
Loading

Cf. https://github.com/traefik/infra/issues/8953

It also flags google fonts, but SRI is not supported

Hash generated here or by running:

curl -s https://traefik.github.io/traefiklabs-header-app/main-v1.js | openssl dgst -sha384 -binary | openssl base64 -A

Hash will be updated with every publish, see this PR

@bpsoraggi bpsoraggi requested review from Copilot and mloiseleur and removed request for Copilot August 4, 2025 12:32
Copilot
Copilot AI reviewed Aug 4, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security vulnerability by adding Subresource Integrity (SRI) protection to an external JavaScript file. The change adds integrity and crossorigin attributes to a script tag loading from traefik.github.io to ensure the script hasn't been tampered with.

  • Adds SRI hash verification for the traefiklabs-header-app script
  • Includes crossorigin attribute to enable SRI validation for cross-origin resources

@bpsoraggi bpsoraggi mentioned this pull request Aug 5, 2025
Closed
@mloiseleur mloiseleur marked this pull request as draft August 5, 2025 08:36
@bpsoraggi
Copy link
Author

Closing this for now

@bpsoraggi bpsoraggi closed this Oct 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mloiseleur mloiseleur Awaiting requested review from mloiseleur

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bpsoraggi