← Lessons

quiz vs the machine

Gold1410

Security

Subresource Integrity

Pin a hash on third party scripts so a tampered file refuses to run.

5 min read · core · beat Gold to climb

Trusting Code From Other Servers

Web pages often load scripts and styles from content delivery networks. If that CDN is compromised or a file is swapped, your page runs attacker code with full access to your users. You are trusting a server you do not control.

How SRI Works

Subresource Integrity lets you declare the expected cryptographic hash of a fetched file.

  • Add an integrity attribute with a hash like sha384 of the exact file.
  • The browser fetches the file, hashes it, and compares.
  • If the hashes differ, the browser refuses to execute the resource.

Practical Notes

  • Pair SRI with crossorigin on cross origin resources so integrity can be checked.
  • Update the hash whenever you intentionally upgrade the file version.
  • SRI protects integrity, not confidentiality, and works best for versioned immutable files.

Key idea

SRI pins the expected hash of a third party file so the browser rejects any tampered version, protecting users even if the CDN is compromised.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the browser do if an SRI hash does not match?

2. What kind of files is SRI best suited for?