Skip to main content

Third Party Dependencies

This page was last reviewed on September 19th, 2024. It needs to be reviewed again on June 19th, 2025.

Guidelines for choosing a third party package can be found in the general third party dependencies documentation page.

How can you secure front-end third-party integrations?

  • Use modern browser features such as HTTPS, Content Security Policy (CSP), Subresource Integrity (SRI).
    • use HTTPS (Hypertext Transfer Protocol Secure) for all your web traffic, including the requests and responses from third-party services. HTTPS encrypts the data in transit, preventing eavesdropping, tampering, or spoofing.
    • CSP (Content Security Policy), a browser security feature that allows you to specify what is allowed on your website, such as scripts, styles, images and fonts. CSP can help prevent cross-site scripting (XSS) attacks, which can inject malicious code into your web pages through third-party integrations.
    • Subresource Integrity (SRI), a browser security feature that enables browsers to verify that the resources they fetch (for example, from a CDN) are delivered without unexpected manipulation.
  • Monitor and audit your integrations.
    • Monitoring means keeping track of the performance, availability and errors of your integrations, using tools like logs, alerts, dashboards and reports. For example, Azure Monitor.
    • Auditing means reviewing the security and compliance of your integrations, using tools like scanners, analyzers and testers. For example, GitHub Dependabot, NPM audit and Snyk.
  • Update and review your integrations (ideally annually).
    • Updating means applying the latest patches and fixes.
    • Reviewing means evaluating the quality, reliability and necessity.

Maintaining a list of third-party frontend packages is too complex, therefore, we have reduced our recommendations to project build tools previously used by Gemeente Amsterdam projects.