I am looking for a feature that will allow me to get notified if any new files are inserted into the site (it cannot be tied to the normal deploy process). I am quite happy with something like MD5 checksums (tripwire-style). This would allow us to get quickly notified in case the website was hacked somehow and take appropriate action on it. Checking the site from the outside is not an option, since dropping a backdoor file wouldn’t be detectable, unless you knew the name of it.
@Bob1 Welcome to the Netlify community.
I would say, “Wait to worry” on this one. I doubt Netlify’s CDN can be hacked separately from your build chain, so as long as your build chain is secure, then your files on the Netlify CDN should be fine.
I don’t believe in unhackable systems. I would prefer a control.
@Bob1 Even within a hackable system, there are often elements that are not hackable. I would think that the connection between Netlify’s build process and CDN is pretty close to that, and certainly more secure than your connection to and repository with GitHub, or your own computer, for that matter.
I am not saying I will exclude controls on other phases of the deploy, I am merely stating that I want a control for the running environment. They are not mutually exclusive, nor do they overlap completely in risk coverage.
@Bob1 OK, but the Netlify CDN is not really a “running environment,” in that it serves static assets. As long as the asset is OK, there’s no problem. To introduce “control” in the process of serving those static assets introduces the possibility – indeed, the likelihood – that there can be security breaches.
Because of how our atomic deploys work, there is no way to update one file at a time without deploying a new version of the entire site. Our build and deploy system does something similar to what you describe: takes in a list of expected checksums in the new deploy, validates that we in fact received all checksums we were expecting, and proceeds with a deploy. If any of the checksums don’t match, the deploy does not proceed.
So my advice would be to set up notifications around new deploys. We offer a number of ways of doing this that you can check out in our docs:
Please let us know if this helps or if you have additional questions!