Ensuring JavaScript hasn't been tampered with

Question

I'm writing a web application that does some client side encryption of data to ensure that I never get to see what the client is sending to my server. What I am really worried about is if a third party gets access to my JavaScript code and then adds a back door or some other malicious code to my JavaScript file.

Since JavaScript is often hosted on third party CDNs, how does one ensure that a JavaScript file has not been altered or tampered with before the browser downloads it? I'd rather have a big security notice on my page than load some tampered with JavaScript in my clients browser.

In a normal program I would digitally sign the file to ensure that it hasn't been tampered with but I don't think browsers support checking a given signature before they download and / or load a JavaScript file. There must be some solution to this otherwise hosting any files on a CDN would be a huge security risk. SSL only protects the file in transport, not when it is sitting on the CDN server.

Answer 1

If you want to ensure that they reach the client-side unaltered and do not trust any third party CDN, you would need to serve the JavaScript content directly from your source server over HTTPS.

Comparing the hashes (as per @rishta's answer) would mean you have to host JavaScript to do this (either in your page or in separate .js files served from your server) so you might as well simply serve the client-side encryption code from your server instead which would probably mean less overhead overall.

Answer 2

Unless the scripts are dynamic, you could store their hashes in database and compare client-side. See http://pajhome.org.uk/crypt/md5/