Skip to content

SRI (Subresource Integrity): Definition, Use Cases, and Examples

TL;DR:

SRI (Subresource Integrity) protects against CDN compromise. In <script src="..." integrity="sha384-..."> the integrity attribute contains a hash of the expected content. If the CDN swaps the file (supply-chain attack), the hash mismatches and the browser refuses to execute. Mandatory for all external CDN resources.

Check your site's security →

What is SRI (Subresource Integrity)

SRI (Subresource Integrity) protects against CDN compromise. In <script src="..." integrity="sha384-..."> the integrity attribute contains a hash of the expected content. If the CDN swaps the file (supply-chain attack), the hash mismatches and the browser refuses to execute. Mandatory for all external CDN resources.

Check SRI (Subresource Integrity) online

Open tool →

Understanding SRI: How It Works

Subresource Integrity (SRI) is a security feature that enables browsers to verify that files hosted on third-party servers have not been manipulated. When a web page references an external script or stylesheet, it can include an integrity attribute, which contains a cryptographic hash of the file's expected content. This hash is computed using a secure hashing algorithm like SHA-256, SHA-384, or SHA-512.

When the browser fetches the resource, it computes the hash of the downloaded file and compares it with the hash provided in the integrity attribute. If the hashes do not match, the browser will refuse to execute the file, thereby preventing potential supply-chain attacks where an attacker compromises a Content Delivery Network (CDN) to deliver malicious content.

To implement SRI, you can use the following syntax:

<script src="https://cdn.example.com/library.js" integrity="sha384-abc123..." crossorigin="anonymous"></script>

The crossorigin attribute is also crucial for SRI as it specifies how the browser should handle CORS (Cross-Origin Resource Sharing) requests.

Best Practices for Implementing SRI

Implementing Subresource Integrity (SRI) effectively requires adherence to several best practices to maximize security:

  • Use Strong Hash Algorithms: Opt for SHA-384 or SHA-512 for generating hashes. These algorithms provide better security than SHA-256, which is easier to compromise.
  • Regularly Update Hashes: Whenever you update third-party resources, ensure that you regenerate the hash and update the integrity attribute accordingly. This prevents mismatches that could lead to broken functionality.
  • Test in Development: Before deploying changes to production, thoroughly test your SRI implementation in a staging environment. This helps identify any potential issues with integrity checks.
  • Monitor External Resources: Regularly audit and monitor the external resources you include. If a CDN changes its file without your knowledge, you need to be aware of the potential risks.

By following these best practices, web developers can significantly reduce the risk of supply-chain attacks and ensure that their applications are secure.

Practical Implementation of SRI in Your Project

To integrate Subresource Integrity (SRI) into your web project, follow these steps:

  1. Identify External Resources: List all external scripts and stylesheets your application uses, particularly those served from CDNs.
  2. Generate Hashes: Use a command-line tool like openssl to generate the hash for each file. For example:
openssl dgst -sha384 -binary library.js | openssl base64 -A

This command computes the SHA-384 hash of library.js and encodes it in base64 format.

  1. Update HTML Files: Insert the generated hash into your HTML files. For example:
<script src="https://cdn.example.com/library.js" integrity="sha384-" crossorigin="anonymous"></script>
  1. Test Your Implementation: Open your web application in a browser and check the console for any integrity errors. If the resource is tampered with, the browser should block its execution.

Following these steps will ensure your web application is safeguarded against supply-chain attacks through effective use of SRI.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Do I need SRI (Subresource Integrity)?

See the use-case section above. For a quick check, use our online form.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.