Subresource Integrity

Subresource Integrity

Subresource Integrity is a web security mechanism that enables browsers to verify that fetched resources (such as scripts or stylesheets) are delivered without unexpected manipulation. It ties a cryptographic hash function digest to a resource reference so that a browser can detect tampering from compromised CDNs, mirror servers, or intermediaries when loading assets for pages served by entities such as Google, Mozilla Foundation, Microsoft Corporation, Facebook, and Twitter.

Overview

Subresource Integrity provides a way for authors and organizations like W3C, WHATWG, World Wide Web Consortium, Internet Engineering Task Force, and ECMA International to protect client-side dependencies by specifying a known-good integrity value. Major technology stakeholders including Akamai Technologies, Cloudflare, Akamai, Amazon Web Services, GitHub, and npm, Inc. integrate integrity considerations into their distribution workflows. Standards bodies and projects such as HTML5, CSP (Content Security Policy), TLS, HTTPS, and Service worker discussions intersect with SRI design choices. Litigation-relevant entities such as European Commission and regulators involved in General Data Protection Regulation debates have noted supply-chain protections like SRI alongside secure delivery protocols.

Syntax and Usage

The syntax uses an integrity attribute on resource elements such as