Show HN: Guardscript – Detect any changes made to your JavaScript files

Hey HN!<p>I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].<p>In order to reassure us, a few of these companies created independently what is essentially GuardScript: a service that monitors every few minutes any changes made to your Javascript files and sends you a notification with the changes made. You can then detect any malicious modification by analyzing these results.I decided to build it for a broader audience.<p>I&#x27;d love feedback and suggestions on how to make it better.<p>Thanks!<p>[1] <a href="https:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2018&#x2F;09&#x2F;12&#x2F;feedify_magecart_ja" rel="nofollow">https:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2018&#x2F;09&#x2F;12&#x2F;feedify_magecart_ja</a> [2] <a href="https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;hackers-breach-statcounter-to-hijack-bitcoin-transactions-on-gate-io-exchange&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;hackers-breach-statcounter-to-...</a>

This is good, but this won&#x27;t stop the first few visitors from getting pwned. Client-side check (SRI) is still the best solution.

&gt; How do you detect the modifications? We compute the hashes of the files regularly. If only one character in a file changes, his hash will change.<p>Does this include HTTP headers? For instance a yay.js framework that helps people print &#x27;yay&#x27; to the console could return:<p><pre><code> HTTP&#x2F;1.1 301 MOVED PERMANENTLY LOCATION: http:&#x2F;&#x2F;evil.evil&#x2F;evil.js console.log(&#x27;yay!&#x27;);</code></pre>

Pricing seems high to me. A sub $10&#x2F;month plan that lets someone check 30 files once a day or even once a week would be useful.<p>Plenty of small companies have god awful Wordpress sites with a ton of insecure JavaScript files. They don’t need to be checked every 10 minutes but they do need something to check.

I get relying on 3rd party libraries, but not hosting them yourself and just hoping that the current host never gets sold&#x2F;owned&#x2F;etc? That sounds insane to me...<p>Sounds like <i>curl | insmod &#x2F;dev&#x2F;stdin</i> level insane

Apart from the &quot;SaaS services&quot; (I mean, are they really services for services?), this seems to boil down to:<p>&quot;We can&#x27;t trust SaaS.... so we built a SaaS to alert you when the JS delivered by your SaaS changes...&quot;. So now you have to trust this SaaS to tell you that the other SaaS is still trustworthy.

Looks very cool. You have a typo in the pricing area of the page: it says &quot;Sart Free Trial&quot; instead of &quot;Start Free Trial&quot;.

Imagine an internet where instead of making this tool, people stopped including billions of third party scripts.

You could do this with a free serverless function on aws, why would I pay for it