Hey HN!<p>I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].<p>In order to reassure us, a few of these companies created independently what is essentially GuardScript: a service that monitors every few minutes any changes made to your Javascript files and sends you a notification with the changes made. You can then detect any malicious modification by analyzing these results.I decided to build it for a broader audience.<p>I'd love feedback and suggestions on how to make it better.<p>Thanks!<p>[1] <a href="https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja" rel="nofollow">https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja</a>
[2] <a href="https://www.zdnet.com/article/hackers-breach-statcounter-to-hijack-bitcoin-transactions-on-gate-io-exchange/" rel="nofollow">https://www.zdnet.com/article/hackers-breach-statcounter-to-...</a>
> How do you detect the modifications? We compute the hashes of the files regularly. If only one character in a file changes, his hash will change.<p>Does this include HTTP headers? For instance a yay.js framework that helps people print 'yay' to the console could return:<p><pre><code> HTTP/1.1 301 MOVED PERMANENTLY
LOCATION: http://evil.evil/evil.js
console.log('yay!');</code></pre>
Pricing seems high to me. A sub $10/month plan that lets someone check 30 files once a day or even once a week would be useful.<p>Plenty of small companies have god awful Wordpress sites with a ton of insecure JavaScript files. They don’t need to be checked every 10 minutes but they do need something to check.
I get relying on 3rd party libraries, but not hosting them yourself and just hoping that the current host never gets sold/owned/etc? That sounds insane to me...<p>Sounds like <i>curl | insmod /dev/stdin</i> level insane
Apart from the "SaaS services" (I mean, are they really services for services?), this seems to boil down to:<p>"We can't trust SaaS.... so we built a SaaS to alert you when the JS delivered by your SaaS changes...". So now you have to trust this SaaS to tell you that the other SaaS is still trustworthy.