Salesforce B2C Commerce 24.7 > B2C Commerce Security Guide > Security Best Practices for Developers > Supply Chain Security

Remotely Hosted Resources

Supply chain attacks are more common in the ecommerce space today. For example, Magecart often targets third-party, remotely hosted resources to install drivebys that skim sensitive information entered on a webpage. Using only JavaScript, attackers can mine cryptocurrencies, assert machines into a DDoS network as subordinates, and even attempt to install malware directly onto the client machine for further control and compromise.

Attackers do this by compromising a remotely hosted resource and inserting malicious code into a once trusted JavaScript resource. Then, any websites that include the script also include the malicious JavaScripts.

Recently, the security industry introduced new controls that help curb this type of attack by inserting integrity hashes into HTML elements that include remote resources. For example, Subresource Integrity (SI), a security feature that lets browsers verify resources that they fetch, expects an integrity value on the HTML element that has a hash of the remote resource's content. If the remote resource is compromised, the hash value won’t match the preconfigured and trusted hash value, and the client’s browser doesn’t load the malicious script.

For SFRA implementations, the addJs and addCss helper methods accept an integrity hash as an optional secondary argument. See the Mozilla Developer Network documentation for examples on implementing subresource integrity.

Related concepts
Security Best Practices for Administrators
Customize Templates
Related information
External Site: mozilla.org Subresource Integrity

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.