Secure Javascript Library?

[Notacoder]

I ran my site through websitegrader to check its performance and one metric it got a 5/10 was security with this description:

SECURE JAVASCRIPT LIBRARIES

I'm not feeling safe here.

Intruders can exploit outdated JavaScript libraries. Using the latest version of each library and updating it regularly will help keep you safe.

However, I there is no javascript in the Settings -> Advanced -> Code Injection,  header, footer lock page etc. Is there another Library I can update?

[creedon]

JavaScript libraries would be libraries like jQuery. Many folks find some code examples they want to use that were created ages ago and use those versions that reference old libraries that were surpassed by many newer versions. So that report point is quite correct on suggesting updating libraries. Now you have to be careful because just throwing in a newer version of a library may actually break the old code that used the old version of the library code.

Also be aware that SS probably uses a few JS libraries that you have no control over. There is no way for you to access SS's backend to update those libraries.

Please post the URL for a page on your site where we can see your issue.

A link to the backend of the your site won’t work for us, i.e. a url that contains /config/.

Please set up a site-wide password, if your site is not public and you've not already done so.

Post the password here.

Adding a site-wide password does not allow anyone to alter your site. It only allows those with the password to see your site.

Please read the site-wide password and how to share a link documentation to understand how they work.

We can then take a look at your issue.

You may find How to post a forum question post useful.

[Notacoder]

Thanks for the reply. As mentioned there really isn't an issue with the site however, Web Site Grader: https://website.grader.com/ gave me a 5/10 for security stating the JS libraries were vulnerable.

 

Here's my site: https://www.cyclebeatclub.com

No password required to view the site.

 

[creedon]

Quote

gave me a 5/10 for security stating the JS libraries were vulnerable.

This could refer to Subresource Integrity. It's a way for the browser to know if the JS libraries you are loading have not been tampered with.

You have no control over the JS libraries SS loads and no way to add the required information so that the reporting tool would stop complaining.

You of course can spend the time with any JS libraries you added yourself.

I'd say don't jump through hoops because some tool tells you to. It's a hint, not a rule.

[paul2009]

On 1/26/2023 at 12:25 AM, Notacoder said:

I ran my site through websitegrader to check its performance and one metric it got a 5/10 was security. However, I there is no javascript in the Settings -> Advanced -> Code Injection,  header, footer lock page etc.

The tool is giving good general advice but the security grading is incorrect because it is a generic tool that hasn't been built to check Squarespace, and cannot tell the difference between the approved built-in libraries that Squarespace host and potentially dangerous third party libraries.

If you were loading JavaScript through a Code Injection panel (or in a Code Block) then you would definitely want to follow the advice (and @creedon's comments) to ensure you are using the latest verified version of library, but as your site is only loading the libraries that Squarespace have checked, there should be no cause for concern.

Did this help? Please give feedback by clicking an icon below  ⬇️

[Notacoder]

Thanks very much creedon and Paul.

I am not adding any JS so I'll consider the results of the websitegrader a metric that isn't useful to me.