ihashgen release: A node library that generate hash for SRI
I created a new project on NPM which is named as ihashgen.
The cli tools basically will create a hash version based on the url of the CDN for either CSS or JS file.
Used of CDN in projects will significantly increase the loading speed, but in case the CDN is compromised (unpkg cdn was compromised.), your user is still safe from those attack.
This library basically automated the task on generating the hash for you with SHA384 algorithm.
Repository
https://github.com/superoo7/ihashgen
Features
What feature(s) did you add?
- A CLI tools to generate hash and html version of script tag or link tag.
> yarn global add ihashgen # npm install -g ihashgen
> ihashgen
- A node library to use the functions to generate the hash. (works with babel import and typescript)
import ihashgen from 'ihashgen';
ihashgen('https://unpkg.com/react@16/umd/react.production.min.js')
.then(data => {
console.log(data.hash);
console.log(data.html);
})
- Automatically detect the file type (css/js) by checking the ending url.
How did you implement it/them?
This project has 1 core functions which is intergrityGen;
import axios from "axios";
import SHA384 from "crypto-js/sha384";
import Base64 from "crypto-js/enc-base64";
export type cdnType = "css" | "js";
export type algoType = "sha384";
const intergrityGen = async (url: string, type?: cdnType, algo?: algoType) => {
// TODO: support more hashing algorithm
if (!algo) {
algo = "sha384";
}
if (!type) {
type = url.endsWith("css") ? "css" : url.endsWith("js") ? "js" : undefined;
}
if (type === undefined) throw new Error("must specify type for cdn (css/js)");
const hash = await axios.get(url).then(d => Base64.stringify(SHA384(d.data)));
return {
hash: hash,
html: template(type, url, hash, algo)
};
};
export const template = (
type: cdnType,
url: string,
hash: string,
algo: algoType
) => {
if (type !== "css" && type !== "js")
throw new Error("must specify type for cdn (css/js)");
return type === "css"
? `<link rel="stylesheet" href="${url}" integrity="${algo}-${hash}" crossorigin="anonymous">`
: `<script src="${url}" integrity="${algo}-${hash}" crossorigin="anonymous"></script>`;
};
export default intergrityGen;
About ihashgen
What is the project about?
Generate Intergrity hash for the use of CDN, which can be used via CLI or Node packages.
Technology Stack
- Typescript
- Node.js
CLI - commander
- chalk
- ora
- inquirer
Test - Jest
Library used - Crypto-Js
- Axios
Roadmap
Support other hashing algorithm like SHA256.
Create webpack configuration for dynamic-cdn-webpack-plugin or a fork version to further automate task.
How to contribute?
Project is hosted on Github: https://github.com/superoo7/ihashgen with Travis CI to check wether the test passes. Feel free to fork and file issues.
Cool project.
I wasn't aware of the Subresource integrity concept. Looks like I have been away from the frontend a good amount of time. :) Here is a good read for the potential readers.
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]
Thanks for moderating. It's just a tool that I need but nobody builds it lol
Thank you for your review, @emrebeyler!
So far this week you've reviewed 3 contributions. Keep up the good work!
吃了吗?这是哪里?你是谁?我为什么会来这边?你不要给我点赞不要点赞,哈哈哈哈哈哈。假如我的留言打扰到你,请回复“取消”。
Hi @superoo7!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server
This post has been curated by TeamMalaysia Community :-
To support the growth of TeamMalaysia Follow our upvotes by using steemauto.com and follow trail of @myach
Vote TeamMalaysia witness bitrocker2020 using this link vote for witness
Sounds nice, but why sha384? There are better algos if you are concerned about zero-collisions (which you should be). Forget sha256 and go for something in this answer: https://softwareengineering.stackexchange.com/a/145633
SHA384 is used because of standards. Most of the SRI used SHA384 for that, which are being supported in most browser.
https://www.w3.org/TR/SRI/
Other alternatives would be SHA256, SHA512.
For browser compatability: https://caniuse.com/#search=sri
Ok - thanks for the response (and the cool resources!)
Hey, @superoo7!
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!