Why Subresource Integrity (SRI) Matters More Than You Think

Every time your website loads jQuery from a CDN, a font from Google Fonts, or a tracking script from a third-party service, you're trusting that the CDN will always serve the correct, unmodified file. Subresource Integrity (SRI) lets you verify that trust.

The attack scenario

It's not hypothetical. In 2018, the British Airways website was compromised through a modified script that skimmed payment card details. Magecart attacks routinely compromise third-party scripts to inject card skimmers. If your site loads scripts from external CDNs without SRI, you're one compromised CDN away from serving malicious code to every one of your users.

How SRI works

You add an integrity attribute to your script and link tags with a cryptographic hash of the expected file contents. The browser downloads the file, computes the hash, and only executes it if the hash matches.

<script
  src="https://cdn.example.com/library.min.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAh6VgnSY"
  crossorigin="anonymous"
></script>

If the CDN serves a modified file, the hash won't match and the browser will refuse to execute it. Your site might break (the script won't load), but your users won't be compromised.

Generating SRI hashes

# Generate an SRI hash from command line:
openssl dgst -sha384 -binary library.min.js | openssl base64 -A

# Or use: https://www.srihash.org

Most bundlers and build tools can generate SRI hashes automatically. Webpack has the SriPlugin, and there are equivalents for Vite, Rollup, and others.

Check your site

KrakenProbe checks every external script and stylesheet on your page for SRI hashes and tells you exactly which CDN resources are unprotected. Run a scan to see your exposure.