Hacker News new | ask | show | jobs
by jrpt 2559 days ago
I’ve come to the conclusion that the way to secure your website from third party JavaScript is to monitor everything happening on your site: https://enchantedsecurity.com/

These third party libraries are a necessary part of modern websites. It’s worth trusting but verifying their security.
4 comments
voltagex_ 2559 days ago
>Add Enchanted Security's JavaScript to your website to prevent data exfiltration attacks, protecting passwords, credit cards, and other sensitive information.

>Install Enchanted Security's tamper-resistant JavaScript snippet on your site. The inline snippet is designed to be small, adding only a few milliseconds to load time, and does not require active configuration on your end.

There's a lot of marketing copy on your site, but it doesn't really tell me what it's really doing, or even how Enchanted Security itself is secured.

link
jrpt 2558 days ago
That's because the website's main purpose is marketing, not explaining inner workings. The site explains four steps and you mentioned only the first step, installing it: https://enchantedsecurity.com/how-it-works

If anyone wants to know more they can schedule a private demo.

link
Gikoskos 2559 days ago
I think you missed something here https://i.imgur.com/CtFLsSm.png
link
jrpt 2558 days ago
Thanks. That's a leftover from some automatic changes.

It should have only showed up if you didn't complete the form though.

link
Piskvorrr 2559 days ago
Hah. "Security is hard, let's go shopping (for our magic security dust)!"
link
jrpt 2558 days ago
It's not magic security dust. I don't claim all you have to do is use it to have a secure website, but to address a few prominent classes of attacks you can use it.

And security is hard, so defense in depth makes sense.

link
robin_reala 2559 days ago
The other option is to reduce your attack surface by minimising the amount of JS you use.
link
jrpt 2558 days ago
Companies derive so much value from third party JS that it's pretty much impossible to not use any third party JS. There's some paper on it that I can't find right now but the average site has dozens of third party resources and the number increases with largeness (more popular sites, which correlates with larger companies, tend to have more third party dependencies) and over time (it was less ten years ago). It's not just third party libraries embedded in their code, but products they're using on their site.

In general I agree that you should minimize unnecessary JS, especially simple libraries like the "left-pads" of the world.

link