Subresource integrity
Subresource integrity
Often, scripts from third party providers are used. For example, your HTML head may look like this:
In case the servers hosting these JavaScript libraries are compromised, all webites using this library will run malicious scripts.
Protecting third party resources
Subresource Integrity allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Always try to use SRI whenever libraries are loaded from a third-party source. The idea is simple, instead of using the following script reference:
You should use the following:
This latter reference has an integrity attribute (integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=
) which basically is a hash of the JQuery script. In case an attacker is able to modify the JQuery script, your browser will not load it anymore since the browser will verify that the hash of the JQuery script equals the value of the integrity attribute.
Source attribution
Some parts of this page are based on the Third Party Javascript Management Cheat Sheet, which is licensed under FLOSS.
Last updated
Was this helpful?