Brent Keller

Subresource integrity hashes

Today I learned about the integrity attribute for <script> and <link> tags. This attribute is used to ensure you're getting what you expect from a referenced resource, like a script from a CDN. This is a really good idea when referencing specific versioned files from a CDN to make sure that a malicious actor hasn't replaced that resource with something else.

You can find more info on the MDN site: Subresource Integrity

There's a handy online tool to help calculate the integrity hash for a resource's URL: https://www.srihash.org/

Example usage of the integrity attribute:

<script
  src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.1/cookieconsent.min.js"
  integrity="sha512-yXXqOFjdjHNH1GND+1EO0jbvvebABpzGKD66djnUfiKlYME5HGMUJHoCaeE4D5PTG2YsSJf6dwqyUUvQvS0vaA=="
  crossorigin="anonymous"
></script>