From ee452a23bcf159f0a543a4cba7818f219a5e24a3 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 15 Jul 2026 11:37:28 +0000 Subject: [PATCH] Add Subresource Integrity hash to the CDN-loaded Redoc script The published API docs page (docs/index.html) loads redoc.standalone.js from the jsdelivr CDN with no integrity check, so a compromised or tampered CDN response would execute unmodified on the public GitHub Pages site. The repo already pins Redoc to an exact version (72a5ab9); this pairs that pin with a matching sha384 SRI hash plus crossorigin="anonymous" so the browser refuses to run the script if its bytes ever diverge from what was verified. Confirmed the file's SHA-256 matches jsdelivr's own recorded hash for the pinned version, and that jsdelivr serves Access-Control-Allow-Origin: * so the crossorigin fetch succeeds. Co-Authored-By: Claude Sonnet 5 Claude-Session: https://claude.ai/code/session_01VdzPV1XRNcdyiwo4NKvNy8 --- docs/index.html | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/index.html b/docs/index.html index 66ce922..8585fd0 100644 --- a/docs/index.html +++ b/docs/index.html @@ -39,7 +39,11 @@
- +