Subresource Integrity (SRI) for Scripts
Subresource Integrity (SRI) lets browsers verify that a script or stylesheet fetched from another origin (e.g. a CDN) has not been altered. You supply a cryptographic hash; if the resource does not match, the browser refuses to execute or apply it. Used with the
The hash is the algorithm name, a hyphen, and the base64 digest (no spaces). You can list multiple hashes (e.g. sha256 and sha384); the browser uses the first one it supports.
crossorigin attribute, SRI is a standard way to secure third-party script execution.
What Is Subresource Integrity?
SRI is a W3C specification that uses the HTMLintegrity attribute. You add a hash of the expected file content to the <script> or <link> tag. The browser hashes the fetched resource and compares it to your value. A mismatch means the file was modified in transit or on the server, the browser then blocks it.
Why use SRI?
CDNs and third-party hosts can be compromised or serve different content to different users. SRI ensures that only the exact content you hashed is executed, reducing the risk of supply-chain and MITM attacks.
How to Use SRI
Use theintegrity attribute with the hash algorithm and a base64-encoded digest. Supported algorithms are sha256, sha384, and sha512. Prefer sha384 or sha512 for stronger security.
| Algorithm | Performance | Security level | Recommendation |
|---|---|---|---|
| SHA-256 | Fastest | High | Good default; fine for most cases. |
| SHA-384 | Balanced | Very high | Industry standard; recommended for most sites. |
| SHA-512 | Slower | Extreme | Great for higher-security environments. |
Script with SRI and crossorigin
<script
src="https://cdn.example.com/app.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>The crossorigin Attribute
For resources loaded from another origin, the browser must request them in a CORS mode to apply SRI. Without this, the same-origin policy can prevent the browser from reading the response to verify the hash. Setcrossorigin="anonymous" or crossorigin="use-credentials" on the tag.
anonymous: Sends theOriginheader and does not send cookies. Use this for public CDN scripts.use-credentials: Includes credentials (cookies, client certs) if the request is same-origin or the server allows credentials. Use only when the third party requires it.
crossorigin, the request may be sent without CORS and SRI verification can be skipped or fail. MDN describes the attribute in detail.
When SRI Is Needed
Use SRI when:- Loading scripts or styles from a CDN or other third party
- You want to lock the exact version and detect tampering
See also
- SRI Hash Calculator : Generate SHA-256, SHA-384, or SHA-512 integrity hashes for a URL or file
- The sha-XXX keyword in CSP : How CSP uses hashes and why crossorigin matters for reports
- Hashes and nonce : CSP hash and nonce allowlisting
- Get started with CSP : Implementing CSP and reporting
Continue Reading
CSP & meta tags
Learn how to implement Content-Security-Policy using meta tags and understand the limitations compared to HTTP headers.
2024-11-16
4 min read
Theotime QuereRead more
Understand Bitsight new Web Application Security (WAS) algorithm
Learn how to understand Bitsight new Web Application Security (WAS) algorithm. See how to avoid CSP violations & misconfiguration findings. Fix issues & prevent score drops.
2025-07-15
5 min read
Theotime QuereRead more
