{
    "slug": "subresource_integrity",
    "term": "Subresource Integrity (SRI)",
    "category": "security",
    "difficulty": "intermediate",
    "short": "A browser mechanism that verifies CDN-hosted scripts and stylesheets haven't been tampered with, using a cryptographic hash in the HTML tag.",
    "long": "SRI (W3C spec) adds an integrity attribute to <script> and <link> tags containing a base64-encoded SHA-256/384/512 hash of the expected file content. The browser refuses to execute or apply the resource if the downloaded content doesn't match. This prevents supply chain attacks where a CDN is compromised and serves a malicious version of a library. In PHP applications, generate SRI hashes with openssl_digest() or use build tools, and always combine SRI with crossorigin='anonymous'.",
    "aliases": [
        "SRI",
        "integrity hash",
        "script integrity check"
    ],
    "tags": [
        "browser",
        "supply-chain",
        "cdn",
        "headers"
    ],
    "misconception": "Loading scripts from a reputable CDN is safe without SRI. CDNs have been compromised before — SRI ensures the browser refuses to execute a script if its content differs from the expected hash, protecting against CDN-level supply chain attacks.",
    "why_it_matters": "A compromised CDN or third-party host can silently serve malicious JavaScript to all your users — SRI hashes ensure the browser refuses to execute any modified file.",
    "common_mistakes": [
        "Adding SRI hashes once at setup but not regenerating them when the library version updates.",
        "Using SRI on scripts loaded over HTTP — without HTTPS the hash check can be bypassed by MITM.",
        "Not adding SRI to stylesheets — CSS can also exfiltrate data via attribute selectors.",
        "Generating SRI hashes from a locally cached copy that differs from what the CDN actually serves."
    ],
    "when_to_use": [
        "Add integrity and crossorigin attributes to all third-party <script> and <link> tags loaded from CDNs.",
        "Generate SRI hashes at build time and pin them — regenerate when updating the CDN resource version."
    ],
    "avoid_when": [
        "Do not use SRI for first-party resources you host yourself — it adds no security benefit for resources under your own control.",
        "Do not skip SRI for CDN-hosted JavaScript — a compromised CDN can inject malicious code into every page that loads it."
    ],
    "related": [
        "supply_chain_attack",
        "content_security_policy",
        "xss"
    ],
    "prerequisites": [
        "content_security_policy",
        "supply_chain_attack",
        "security_headers"
    ],
    "refs": [
        "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity",
        "https://www.srihash.org/"
    ],
    "bad_code": "<script src=\"https://cdn.example.com/jquery.min.js\"></script>",
    "good_code": "<script src=\"https://cdn.example.com/jquery.min.js\"\n  integrity=\"sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC\"\n  crossorigin=\"anonymous\"></script>",
    "quick_fix": "Add integrity=\"sha384-{hash}\" and crossorigin=\"anonymous\" to every <script> and <link> tag loading from a CDN — use srihash.org to generate hashes",
    "severity": "medium",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-31",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/subresource_integrity",
        "html_url": "https://codeclaritylab.com/glossary/subresource_integrity",
        "json_url": "https://codeclaritylab.com/glossary/subresource_integrity.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Subresource Integrity (SRI)](https://codeclaritylab.com/glossary/subresource_integrity) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/subresource_integrity"
            }
        }
    }
}