Welcome to Vanilla Breeze
This bell pulls live notifications from /go/notify/messages — the same contract documented at /docs/concepts/service-contracts/. Static articles like this one are the no-JS / no-backend fallback.
integrity
Subresource Integrity (SRI) lets the browser verify that files fetched from CDNs haven't been tampered with.
Overview
Subresource Integrity (SRI) lets the browser verify that files fetched from CDNs or other third-party servers have not been tampered with. You provide a cryptographic hash of the expected file contents, and the browser checks the downloaded file against that hash before executing or applying it.
If a CDN is compromised and serves a modified file, the browser will refuse to use it rather than running potentially malicious code. SRI is a critical defense-in-depth measure for any site that loads resources from third-party origins.
How It Works
- You generate a cryptographic hash of the resource file.
- You add the hash to the
integrityattribute, prefixed with the algorithm name. - You add
crossorigin="anonymous"(required for cross-origin resources). - When the browser downloads the file, it computes the hash and compares it to your value.
- If the hashes match, the resource loads normally. If they do not match, the browser refuses to execute or apply the resource and reports a network error.
Hash Format
The integrity value is an algorithm prefix followed by a base64-encoded hash, separated by a hyphen:
| Algorithm | Prefix | Strength | Recommendation |
|---|---|---|---|
| SHA-256 | sha256- | Good | Minimum acceptable |
| SHA-384 | sha384- | Better | Recommended default |
| SHA-512 | sha512- | Strongest | Maximum security |
SHA-384 is the most common choice. It offers strong security with reasonable hash length.
Applies To
The integrity attribute is supported on two elements:
<script>— verify JavaScript files<link rel="stylesheet">— verify CSS files
Examples
Script with SRI
Script integrity check
<!-- Load a script from a CDN with integrity verification --><script src="https://cdn.example.com/[email protected]/lib.min.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAh6VgnSY2E3t0BvIQIYh4mC/b2Dj" crossorigin="anonymous"></script>Stylesheet with SRI
Stylesheet integrity check
<!-- Load a stylesheet from a CDN with integrity verification --><link rel="stylesheet" href="https://cdn.example.com/[email protected]/styles.min.css" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous" />Multiple Hashes
You can provide multiple hashes separated by spaces. The browser will accept the resource if any of the hashes match. This is useful when migrating between hash algorithms or when a resource may be served in different valid forms.
Multiple integrity hashes
<!-- Provide multiple hashes for stronger verification --><script src="https://cdn.example.com/app.js" integrity="sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE= sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAh6VgnSY2E3t0BvIQIYh4mC/b2Dj" crossorigin="anonymous"></script>When multiple hashes with different algorithms are provided, the browser uses the strongest algorithm it supports for verification.
The crossorigin Attribute
For cross-origin resources, integrity must be paired with the crossorigin attribute. Without it, the browser cannot read the response to verify the hash (due to CORS restrictions) and will skip the integrity check.
| Value | Behavior | Use When |
|---|---|---|
anonymous | Sends request without credentials (cookies, auth headers) | Public CDN resources (most common) |
use-credentials | Sends credentials with the request | Authenticated/private CDN resources (rare) |
crossorigin values
<!-- anonymous: no credentials sent (most common for CDN resources) --><script src="https://cdn.example.com/lib.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAh6VgnSY2E3t0BvIQIYh4mC/b2Dj" crossorigin="anonymous"></script> <!-- use-credentials: sends cookies/auth (rare, for authenticated CDNs) --><script src="https://private-cdn.example.com/internal.js" integrity="sha384-abc123..." crossorigin="use-credentials"></script>Same-Origin Resources
For resources served from the same origin, crossorigin is not required. SRI still works, but since you control both the page and the resource, it is less commonly needed.
Same-origin vs cross-origin
<!-- Same-origin resources do NOT need integrity or crossorigin --><script src="/js/app.js"></script><link rel="stylesheet" href="/css/styles.css" /> <!-- Cross-origin resources NEED both integrity and crossorigin --><script src="https://cdn.example.com/lib.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAh6VgnSY2E3t0BvIQIYh4mC/b2Dj" crossorigin="anonymous"></script>Generating Integrity Hashes
You can generate hashes from the command line or use the online tool at srihash.org.
Generating hashes from the command line
# Generate a SHA-384 hash (most common for SRI)openssl dgst -sha384 -binary script.js | openssl base64 -A # Using shasum (macOS / Linux)shasum -b -a 384 script.js | awk '{ print $1 }' | xxd -r -p | base64 # Using curl to hash a remote filecurl -s https://cdn.example.com/lib.min.js | openssl dgst -sha384 -binary | openssl base64 -A # Full integrity attribute value (prefix the hash with the algorithm)# sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAh6VgnSY2E3t0BvIQIYh4mC/b2DjWorkflow Tips
- Pin to exact versions: SRI hashes are tied to exact file contents. Always use versioned URLs (e.g.
[email protected]) rather thanlatestor unversioned paths. - Regenerate on update: When you update a dependency version, regenerate the hash.
- Build tools: Bundlers like Webpack, Vite, and Parcel can generate integrity hashes automatically.
What Happens on Mismatch
When the downloaded file does not match the expected hash:
- The browser refuses to execute the script or refuses to apply the stylesheet.
- A network error is reported (visible in DevTools console).
- The element fires an
errorevent, which you can handle to show a fallback or alert the user. - No partial execution occurs — the resource is completely blocked.
This is intentional. A mismatched hash means the file has been modified, and it is safer to break functionality than to run potentially malicious code.
Common Mistakes
- Forgetting
crossoriginon cross-origin resources. Without it, the integrity check is silently skipped. - Using unversioned CDN URLs (e.g.
lib/latest/lib.js). When the CDN updates the file, the hash breaks. Always pin to a specific version. - Whitespace or encoding differences: The hash must match the exact bytes served. If a CDN minifies or re-encodes a file differently, the hash will fail.
- Copying hashes from untrusted sources: Generate hashes yourself from a known-good copy of the file, not from the same CDN you are verifying.
See Also
referrerpolicy— control referrer information sent with requests<script>element reference<link>element reference