CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Subresource Integrity (SRI)

Security CWE-829 OWASP A6:2021 PHP 5.0+ Intermediate
debt(d5/e1/b3/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list Lighthouse, OWASP ZAP, and Semgrep — all specialist or audit-class tools rather than default linters or compilers. Missing SRI on CDN resources won't be flagged by a standard linter pass; you need to run a dedicated security scanner or audit tool to surface it.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1). The quick_fix is explicit: add integrity='sha384-{hash}' and crossorigin='anonymous' to each tag, using srihash.org to generate the hash. Each fix is a single attribute addition per tag — minimal mechanical effort even if there are multiple tags.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). SRI applies only to the web context and specifically to CDN-hosted <script> and <link> tags. The ongoing tax is remembering to regenerate hashes when library versions change, but this burden is confined to front-end asset management and doesn't ripple into broader application architecture or other components.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception field confirms the canonical wrong belief: 'Loading scripts from a reputable CDN is safe without SRI.' Common mistakes reinforce secondary traps — not regenerating hashes on version updates, using SRI over HTTP where MITM can bypass it, and omitting stylesheets. These are documented gotchas that competent developers regularly miss, placing it solidly at t5.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

SRI integrity hash script integrity check

TL;DR

A browser mechanism that verifies CDN-hosted scripts and stylesheets haven't been tampered with, using a cryptographic hash in the HTML tag.

Explanation

SRI (W3C spec) adds an integrity attribute to <script> and <link> tags containing a base64-encoded SHA-256/384/512 hash of the expected file content. The browser refuses to execute or apply the resource if the downloaded content doesn't match. This prevents supply chain attacks where a CDN is compromised and serves a malicious version of a library. In PHP applications, generate SRI hashes with openssl_digest() or use build tools, and always combine SRI with crossorigin='anonymous'.

Common Misconception

Loading scripts from a reputable CDN is safe without SRI. CDNs have been compromised before — SRI ensures the browser refuses to execute a script if its content differs from the expected hash, protecting against CDN-level supply chain attacks.

Why It Matters

A compromised CDN or third-party host can silently serve malicious JavaScript to all your users — SRI hashes ensure the browser refuses to execute any modified file.

Common Mistakes

  • Adding SRI hashes once at setup but not regenerating them when the library version updates.
  • Using SRI on scripts loaded over HTTP — without HTTPS the hash check can be bypassed by MITM.
  • Not adding SRI to stylesheets — CSS can also exfiltrate data via attribute selectors.
  • Generating SRI hashes from a locally cached copy that differs from what the CDN actually serves.

Avoid When

  • Do not use SRI for first-party resources you host yourself — it adds no security benefit for resources under your own control.
  • Do not skip SRI for CDN-hosted JavaScript — a compromised CDN can inject malicious code into every page that loads it.

When To Use

  • Add integrity and crossorigin attributes to all third-party <script> and <link> tags loaded from CDNs.
  • Generate SRI hashes at build time and pin them — regenerate when updating the CDN resource version.

Code Examples

✗ Vulnerable 
<script src="https://cdn.example.com/jquery.min.js"></script>
✓ Fixed 
<script src="https://cdn.example.com/jquery.min.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>
Added 15 Mar 2026
Edited 31 Mar 2026
Views 42

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 2 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 2 pings T 0 pings W
Agents 0
No pings yet today
PetalBot 2
Amazonbot 9 ChatGPT 4 Perplexity 3 Ahrefs 3 SEMrush 3 PetalBot 3 Google 2 Claude 2 Scrapy 2 Meta AI 1 Sogou 1
Also referenced
Cross-Site Scripting (XSS) 76 Content Security Policy (CSP) 58 Supply Chain Attack 51
How they use it
crawler 28 crawler_json 5
Related categories
security 7.9k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add integrity="sha384-{hash}" and crossorigin="anonymous" to every <script> and <link> tag loading from a CDN — use srihash.org to generate hashes
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
CDN-hosted scripts or stylesheets without integrity attribute; external resources loaded without SRI verification
Auto-detectable: ✓ Yes lighthouse owasp-zap semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-353 CWE-494
✓ schema.org compliant