Reply to post: Re: Cant win...

UK ICO, USCourts.gov... Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned

Sir Runcible Spoon Silver badge

Re: Cant win...

Use a local proxy to cache all your remotely collected scripts. Have that proxy run a comparison check against the last known good version for all external scripts.

If the code changes, don't update the cache until it has been signed off as safe, at that point you can update your 'known good' version and carry on serving it to your clients.

Ok, so if there's a problem with a valid script and it needs to be updated then that fix might be delayed until you can sign off the update, but that's a lot better than taking the chance of feeding your customers compromised scripts.

This avoids the need to micro-manage all the scripts internally, but injects a safeguard against compromised remote script updates such as the one in this story.

Or does that sound too hard?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019