Subresource Integrity (SRI) is a security mechanism that allows web browsers to check the integrity of resources they fetch from external sources, such as Content Delivery Networks (CDNs). SRI ensures that the resources are delivered without any unexpected modifications or tampering.
The third-party server (like a CDN) could get compromised, leading to the resources being modified to include malicious content. Network attacks could modify the resources en route from the third-party server to the user’s browser.
Table of Contents
Subresource Integrity
With SRI, you can specify a cryptographic hash value that the fetched resource must match before the browser accepts and uses it.
Add a base-64-encoded cryptographic hash of the resource (file) you want the browser to fetch. It is specified in the “integrity” attribute.
Generate the hash
You can also use an online hash generator.
OpenSSL
cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -Ashasum
shasum -b -a 384 FILENAME.js | awk '{ print $1 }' | xxd -r -p | base64Add the hash
To use SRI, you specify the hash of the expected resource in the integrity attribute of the <script> or <link> tag:
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>Reference
- Subresource Integrity (SRI) (OWASP)
- Subresource Integrity (Mozilla)
- SRI Hash Generator (Srihash)
- Missing Subresource Integrity (Tenable)