You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This solution provides a fully automated AWS-native mechanism to monitor, detect, and alert on unauthorized changes to page scripts. It leverages AWS CloudFront, Lambda@Edge, and the Hono framework to seamlessly enforce content integrity and real-time monitoring for scripts that are served as part of processing pages.
✨ Key Features
Feature
Description
✅ Real-Time Script Integrity Checks
Every time a script (.js) is served, its cryptographic hash is recalculated and compared to a known-good hash stored securely in AWS Systems Manager Parameter Store.
✅ Content Security Policy (CSP) Enforcement
A strict CSP header is injected into all page responses to enforce only trusted scripts are allowed to run in the user’s browser.
✅ Subresource Integrity (SRI) Ready
The system uses SHA-384 hashes, compatible with SRI if browser-based integrity checks are later added.
✅ Tamper Detection & Alerting
If any unauthorized modification is detected (added, modified, or replaced script), the system sends a real-time SNS alert to security teams or SIEM platforms.
✅ Full Audit Logging
Every script served is logged, including its path and hash value, creating a tamper-resistant audit trail.
✅ Edge Performance
This logic runs at the CloudFront Edge, ensuring there is no added latency for the origin and allowing global enforcement at scale.
✅ Flexible Origin Support
Works with S3 origins, ALB origins, or custom origins, making it suitable for both static and dynamic payment pages.
🔒 Critical Pages Where Script Integrity is Important
Type of Page
Why Script Integrity Matters
Login Pages
Unauthorized script changes could steal credentials (keylogging or credential harvesting). This maps to authentication security requirements in frameworks like SOC 2, ISO 27001, and NIST.
Customer Account Pages
If scripts on “My Account” or “Profile” pages are compromised, attackers could exfiltrate personal data (PII) — relevant to GDPR, HIPAA, and SOC 2.
Checkout Pages (non-card payment)
Even if payments aren’t made by card (e.g., Apple Pay, PayPal), checkout pages are still a high-value target. Protecting them is a best practice for e-commerce security.
Healthcare Patient Portals
Unauthorized scripts could steal sensitive Protected Health Information (PHI), mapping to HIPAA 164.312(c)(1) (Integrity).
Banking and Financial Apps
Financial institutions need to ensure all online banking pages are protected from tampering. This maps to GLBA, FFIEC, and ISO 27001 requirements.
Internal Admin Portals
Unauthorized changes to internal admin dashboards could allow privilege escalation or data manipulation. Relevant to SOC 2 CC6/7, ISO 27001 A.9 (Access Control).
Support/Case Management Pages
Unauthorized changes could expose support tickets, customer messages, or sensitive attachments. This is important for SOC 2 (confidentiality).
Document Upload Pages
Any page allowing users to upload important documents (e.g., tax forms, contracts, medical records) benefits from ensuring uploaded scripts are unmodified.
📋 index.js
import{Hono}from'hono';import{SSMClient,GetParameterCommand}from'@aws-sdk/client-ssm';import{SNSClient,PublishCommand}from'@aws-sdk/client-sns';importcryptofrom'crypto';// Setup AWS clientsconstREGION='us-east-1';constssm=newSSMClient({region: REGION});constsns=newSNSClient({region: REGION});constTAMPER_ALERT_TOPIC_ARN='arn:aws:sns:us-east-1:123456789012:ScriptTamperAlerts';constHASH_PARAM_NAME='/tampering/known-good-script-hashes';constCSP_HEADER_VALUE="script-src 'self' https://trusted-cdn.example.com; report-uri https://example.com/csp-report";// In-memory cache for known-good hashesletknownHashes=null;// Load known-good hashes from Parameter StoreasyncfunctionloadKnownHashes(){if(knownHashes)returnknownHashes;constcommand=newGetParameterCommand({Name: HASH_PARAM_NAME});constresponse=awaitssm.send(command);knownHashes=JSON.parse(response.Parameter.Value);returnknownHashes;}// Calculate SHA-384 hash for SRIfunctioncalculateHash(content){return'sha384-'+crypto.createHash('sha384').update(content,'utf8').digest('base64');}// Send tamper alert to SNSasyncfunctionsendTamperAlert(script,expected,actual){constmessage=`TAMPER DETECTED: ${script}\nExpected: ${expected}\nActual: ${actual}`;console.error(message);constcommand=newPublishCommand({TopicArn: TAMPER_ALERT_TOPIC_ARN,Subject: 'Script Tamper Alert',Message: message,});awaitsns.send(command);}// Fetch script from origin (adjust if using custom origins)asyncfunctionfetchFromOrigin(path){constoriginUrl=`https://your-origin-bucket.s3.amazonaws.com${path}`;constresponse=awaitfetch(originUrl);returnawaitresponse.text();}// Hono app setupconstapp=newHono();// Middleware to inject CSP Headerapp.use('*',async(c,next)=>{c.res.headers.set('Content-Security-Policy',CSP_HEADER_VALUE);awaitnext();});// Handle JavaScript filesapp.get('*.js',async(c)=>{constpath=c.req.path;constscriptContent=awaitfetchFromOrigin(path);constscriptHash=calculateHash(scriptContent);consthashes=awaitloadKnownHashes();constscriptName=path.split('/').pop();constexpectedHash=hashes[scriptName];console.log(`Serving ${path} with hash ${scriptHash}`);if(expectedHash&&expectedHash!==scriptHash){awaitsendTamperAlert(path,expectedHash,scriptHash);}returnnewResponse(scriptContent,{headers: {'Content-Type': 'application/javascript'}});});exportdefaultapp;
🧰 What This Control Covers Across Frameworks
Control Area
Explanation
Change Detection
Tracks any changes to critical page scripts.
Tamper Detection
Ensures scripts are not modified maliciously (formjacking, Magecart, etc.).
Audit Trail
Logs all script changes and detections (maps to audit and event logging controls).
Incident Response Trigger
Automatically sends alerts (helps with detection, response, and breach notification processes).
Integrity Protection
Ensures only approved, signed scripts are allowed (integrity).
Defense-in-Depth
Works with CSP and SRI for additional browser-based enforcement.
It addresses file integrity monitoring for scripts (relevant to many standards).
It includes real-time logging and alerting (key to auditability and incident response).
It fits into any Secure Software Development Life Cycle (SDLC) by adding controls at the delivery layer (edge/CDN).
📜 Requirement Mapping
Framework
Relevant Requirements
NIST 800-53 (Rev 5)
- SI-7 (Software, Firmware, and Information Integrity)- SI-4 (Information System Monitoring)- AU-2 (Auditable Events)- AU-6 (Audit Review and Reporting)
- CC7.1 (Detect and Monitor Unauthorized Changes)- CC7.2 (Identify Changes to Components)- CC6.6 (Prevent and Detect System Vulnerabilities)
CIS Controls v8
- Control 2 (Inventory and Control of Software Assets)- Control 5 (Account Management - Integrity Monitoring)- Control 6 (Access Control Management)- Control 13 (Data Protection)- Control 14 (Security Awareness and Skills Training - Change Risk Awareness)
FedRAMP (Moderate)
- SI-7 (Software and Information Integrity)- SI-4 (System Monitoring)- CM-3 (Configuration Change Control)- AU-2 (Audit Events)
**HIPAA **
- 164.312(c)(1) Integrity (Implement policies to protect electronic PHI from alteration/destruction)- 164.308(a)(5)(ii)(B) Protection from Malicious Software- 164.312(b) Audit Controls
- Sends a formatted message to SNS.- This could trigger email, Slack, PagerDuty, etc.- Message contains the script name, expected hash, and actual hash.
