Subresource Integrity Implementation

Overview

Pendo includes its agent from a secure CDN. Some customers may have additional requirements to implement Subresource Integrity (SRI) verification when fetching the agent. SRI helps ensure the resource you are retrieving, in this case, Pendo’s agent, has not been manipulated unexpectedly. This is done by creating an integrity value hash that the fetched agent must match. If there is a mismatch, Pendo will fail to initialize.

Implementation

The recommended method for implementing a subresource integrity (SRI) hash is:

1. Self-host Pendo’s agent. This article explains how to host the pendo.js file.
2. Generate a hash for the javascript file.

Please be aware that changing your implementation to a self-hosted agent will create additional developer work to maintain the latest version moving forward; see the article above for more details. Pendo continuously releases updates to the Pendo agent, including feature enhancements and critical security updates, so make sure you have a plan moving forward to keep the agent up-to-date. 

You can subscribe to an RSS feed to get notified as agent updates are released.

Using SRI with Staging Environments

This additional set of instructions applies to customers who have staging servers defined in Settings> Staging. 

There is also a version of the agent that is utilized for staging environments called pendo-staging.js. The staging file's location is defined in your production agent's configuration. The configuration includes stagingServers, which is a list of servers that are designated as staging environments. If the current server matches an entry in this list, then Pendo will load the staging agent which is defined in stagingAgentUrl.

You cannot use an SRI hash for the stagingAgentUrl. 

If you must use an SRI hash for staging environments, the best option is to clear all entries for stagingServers so Pendo will never attempt to launch the JS file from the stagingAgentUrl and instead will use the production JS file that you've configured with an SRI hash. Using this method allows you to still view guides in ‘staged’ status in your staging environments.