Blog

Major sites running unauthenticated JavaScript on their payment pages. The article title says it all. The TL;DR is this: if your payment page requests external files, this is most likely JavaScript or CSS files from CDNs, then you need to ensure that those files have not been tampered with before or during the payment process, because a malicious hacker could very easily intercept payment card details. This is precisely what happened to British Airways!

The solution is to use SubResource Integrity (SRI) which basically involves adding an "integritiy" attribute to your script or link element, like this:

<script src="https://example.com/whatever.js" integrity="sha384-eP2mZH+CLyffr1fGYsgMUWJFzVwB9mkUplpx9Y2Y3egTeRlmzD9suNR+56UHKr7v" crossorigin="anonymous"></script>