Subresource integrity hashes
Today I learned about the integrity
attribute for <script>
and <link>
tags. This attribute is used to ensure you're getting what you expect from a referenced resource, like a script from a CDN. This is a really good idea when referencing specific versioned files from a CDN to make sure that a malicious actor hasn't replaced that resource with something else.
You can find more info on the MDN site: Subresource Integrity
There's a handy online tool to help calculate the integrity hash for a resource's URL: https://www.srihash.org/
Example usage of the integrity
attribute:
<script
src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.1/cookieconsent.min.js"
integrity="sha512-yXXqOFjdjHNH1GND+1EO0jbvvebABpzGKD66djnUfiKlYME5HGMUJHoCaeE4D5PTG2YsSJf6dwqyUUvQvS0vaA=="
crossorigin="anonymous"
></script>