SRI

Definition

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources fetched from a third-party server have not been tampered with. It works by allowing developers to provide a cryptographic hash that the browser can use to check the integrity of the fetched resource. If the fetched resource’s hash does not match the expected hash, the browser will block the resource from being used, thus protecting against malicious modifications.

Secure Settings Example

<script src="https://example.com/script.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux5z9Jr74q2Jc1L1p6K9I4v3lt5V5Q3"
        crossorigin="anonymous"></script>

In this example, the integrity attribute specifies a SHA-384 hash that the browser will use to verify the integrity of the script.js file. The crossorigin attribute is set to anonymous to ensure proper handling of CORS requests.

Insecure Settings Example

<script src="https://example.com/script.js"></script>

This example lacks the integrity attribute, meaning the browser will not verify the integrity of the fetched resource. This omission leaves the application vulnerable to potential tampering of the external script.