Subresource Integrity, commonly referred to as SRI, is an innovative W3C standard. Its primary purpose is to empower web developers with a tool to verify that third-party hosted resources remain unaltered and genuine. Adopting SRI is widely considered a best practice, especially when integrating libraries from external sources.
For a comprehensive guide, check out how SRI operates as explained on Mozilla Developer Network (MDN).
While TLS (HTTPS) ensures a safe browser-server connection, it doesn't guard against server-side alterations of the resource by potential attackers. Even with a valid TLS certificate, the resource might be compromised. SRI steps in here, offering a validation that the resource remains as the web author intended.
To generate integrity hashes, you can use our built-in generator above. Alternatively, follow this command in your shell interface:
openssl dgst -sha384 -binary YOUR_FILENAME.js | openssl base64 -A
crossorigin="anonymous"
If your request spans different origins, it's crucial to include the crossorigin
attribute. Without it, browsers default to a 'fail-open'
mode, ignoring the SRI's security benefits. The attribute crossorigin="anonymous"
ensures no credentials are forwarded to the third-party
hosting the resource but sends an Origin
header. Should the server deny access, the browser won't utilize the resource. Learn more about
crossorigin on MDN's comprehensive guide.
Wondering if your browser supports SRI? Explore caniuse.com's SRI section for detailed information on browser version compatibility.
For a hands-on experience, you can evaluate your browser's SRI compatibility on this test page.