Implementing Subresource Integrity (SRI)
SRI lets browsers verify that external scripts and stylesheets haven't been tampered with, protecting against supply chain attacks and CDN compromises.
What is SRI?
Subresource Integrity is a browser security feature that verifies file contents against a cryptographic hash. If the file has been modified, the browser refuses to execute it.
<script
src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"
></script>How to Implement
Step 1: Get the Hash
ScriptAttest provides SRI hashes for your external scripts:
- Run an attestation scan on your site
- Go to the ScriptAttest tab
- Expand the SRI Hashes section
- Click Copy Hash or Copy Script Tag
Step 2: Add to Your HTML
Add the integrity and crossorigin attributes to your script tags:
<!-- Before -->
<script src="https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js"></script>
<!-- After -->
<script
src="https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js"
integrity="sha384-..."
crossorigin="anonymous"
></script>The crossorigin Attribute
The crossorigin="anonymous" attribute is required for SRI to work with cross-origin resources. Without it, the browser won't check the integrity.
Scripts That Can't Use SRI
Some scripts change their content frequently, making SRI impractical. ScriptAttest identifies these as "Dynamic Scripts":
| Script | Why SRI Won't Work |
|---|---|
| Google Tag Manager | Bundles are regenerated per container configuration. Every request may return different content. |
| Google Analytics (gtag.js) | Script content changes frequently with updates. |
| Facebook Pixel | Script content changes frequently. |
| HubSpot | Script is generated per portal. |
| Segment | Script is bundled per source configuration. |
| Hotjar | Script content changes frequently. |
Protecting Dynamic Scripts
For scripts that can't use SRI:
- Monitor with ScriptAttest - Regular attestation scans alert you to unexpected changes
- Restrict
connect-src- Limit where these scripts can send data - Review tag configurations - Audit what your tag manager is loading
Using ScriptAttest for SRI
Finding Hashes
- Navigate to your site in the dashboard
- Click the ScriptAttest tab
- Expand the SRI Hashes section
You'll see:
- SRI-Compatible Scripts - External scripts with copyable hashes
- Dynamic Scripts - Scripts where SRI isn't supported (with explanations)
Bulk Export
For sites with many scripts:
- Copy All Script Tags - Copies all SRI-enabled script tags to clipboard
- Download Manifest (JSON) - Downloads a URL-to-hash mapping file
Keeping Hashes Updated
When you update a library version, the hash changes. Run a new attestation scan to get the updated hash.
ScriptAttest's drift detection will alert you when script content changes, reminding you to update your SRI hashes.
Troubleshooting
Script Blocked by Browser
If a script is blocked after adding SRI:
- The script content may have changed - get a new hash from ScriptAttest
- Check you're using the correct hash algorithm (sha384 recommended)
- Verify the
crossorigin="anonymous"attribute is present
Hash Mismatch Errors
Some CDNs serve different content based on request headers or location. If you get persistent hash mismatches, the script may not be SRI-compatible.