← Lessons

quiz vs the machine

Gold1360

Frontend

Subresource Integrity Deep

An integrity hash on script and style tags so a tampered CDN file is rejected by the browser.

5 min read · core · beat Gold to climb

What it is

Subresource integrity lets you pin the exact contents of a script or stylesheet you load from a third party. The browser refuses to run the file if its hash does not match.

How it works

  • You add an integrity attribute holding a cryptographic hash of the expected file.
  • The browser downloads the resource and computes its hash.
  • If the hashes match, it runs; otherwise the browser blocks it.

Why it matters

If a CDN is compromised or a file is swapped, the served bytes change and the hash check fails. This protects you from a trusted host turning malicious.

Important details

  • You usually add crossorigin anonymous so the response is readable for the check.
  • SRI only protects static, versioned files since any legitimate change breaks the hash.
  • Combine it with CSP to require integrity on all scripts.

Key idea

Subresource integrity pins a hash on third party files so the browser blocks any tampered or swapped resource.

Check yourself

Answer to earn rating on the learn ladder.

1. What happens if an SRI hash does not match?

2. Why is SRI only suitable for versioned static files?