我在 Heroku 上搭建了一个 django 博客应用程序,目前一切正常,但我有一个关于Missing Subresource Integrity Protection
.
我对使用 heroku 插件很陌生,但我已经设置了tinfoil以确保安全,并且在初始扫描后我遇到了 3 个漏洞。扫描结果表明我是Missing Subresource Integrity Protection
,他们向我提出了这个建议:
> All externally loaded resources must have their content pinned using
> the subresource integrity mechanisms provided by modern browsers. This
> involves computing a hash of the contents of the resource, and
> specifying this hash when loading that resource. In the case of a
> script, this might look like the following:
<script src="https://example.com/include.js"
integrity="sha256-Rj/9XDU7F6pNSX8yBddiCIIS+XKDTtdq0//No0MH0AE="
crossorigin="anonymous"></script>
SRI Hash is an option for computing the necessary hashes.
有人可以解释一下这一切意味着什么,这样我就可以从中学到一些东西,以及将来该怎么做,这样我就可以避免这种情况?