Core Concepts

ScriptAttest Integrity

ScriptAttest Integrity is our proprietary behavioral analysis engine. Unlike Subresource Integrity (SRI) which only checks if a file has changed, ScriptAttest monitors what the script *does* when it runs.

Key Metrics:

  • Execution Hash: A unique fingerprint of the script's runtime behavior.
  • Sink Access: Monitoring calls to sensitive APIs like `eval()`, `setTimeout()`, and `innerHTML`.
  • DOM Mutations: Tracking changes to the document structure, especially on sensitive fields.

Provenance Tracking

Provenance tracking provides a clear audit trail for every network request. We use advanced stack trace analysis to attribute every `fetch`, `XHR`, or resource load back to the specific script that initiated it.

"Provenance is the difference between knowing *that* a request happened and knowing *why* it happened."

Content Security Policy (CSP)

CSP is a powerful browser security layer that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. ScriptAttest automates the generation of strict, hash-based policies.

Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-xyz...';

Security Headers

Beyond CSP, ScriptAttest audits and monitors all critical security headers to ensure your site follows modern best practices.

  • HSTS: Enforces secure (HTTP over SSL/TLS) connections.
  • X-Frame-Options: Protects against clickjacking attacks.
  • Permissions-Policy: Controls which browser features (like camera or geolocation) can be used.