Skip to content

Subresource Integrity

Medium — good to knowSecurity

ELI5 — The Vibe Check

Subresource Integrity (SRI) adds a hash to your script and link tags. The browser downloads the file, checks the hash, and only executes it if it matches. If a CDN gets hacked and serves malicious code, SRI blocks it. It's a tamper seal for external resources.

Real Talk

Subresource Integrity is a W3C standard allowing browsers to verify that fetched resources haven't been tampered with. The integrity attribute contains a cryptographic hash (SHA-256/384/512) that must match the resource content. If verification fails, the browser refuses to execute the resource.

Show Me The Code

<script
  src="https://cdn.example.com/lib.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"
></script>

When You'll Hear This

"SRI hashes on all CDN scripts mean a compromised CDN can't inject malicious code." / "Generate SRI hashes with 'shasum -a 384' and add them to your script tags."

Related Terms

Content Security Policy Headers

CSP tells the browser exactly where scripts, styles, images, and other resources are allowed to load from. If a hacker injects a script pointing to evil.

intermediateSecurity

Security Headers

Security Headers are HTTP response headers that tell browsers 'here's how to protect my users.

intermediateSecurity

Supply Chain Security

Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.