From 603413b6baf8f0dca8e91ddeec2a63622a17cce9 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 18 Jun 2026 11:34:40 +0000
Subject: [PATCH] security: add SRI hash to CDN-loaded Redoc script

Without an integrity attribute, a CDN compromise could silently serve
tampered JavaScript to every visitor of the API docs site. The sha384
hash was computed directly from the published redoc@2.5.3 bundle and
locks the browser to that exact byte sequence.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XXMsynQpRizsmbZda5Xtmv
---
 docs/index.html | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/index.html b/docs/index.html
index a41407e..76273e3 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -16,6 +16,8 @@
            required-props-first="true"
            sort-props-alphabetically="false">
     </redoc>
-    <script src="https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/redoc@2.5.3/bundles/redoc.standalone.js"
+            integrity="sha384-xiEssMQFSpSfLbzRZCGfxxIM5QDb2DTrU6vyoZdp2sV1L6pmOMy6MpTtUoLbpC96"
+            crossorigin="anonymous"></script>
   </body>
 </html>