Home/Glossary/Subresource Integrity (SRI)

Subresource Integrity (SRI)

A security feature that allows browsers to verify that files from CDNs have not been tampered with.

Web SecurityAlso called: "sri hash", "integrity hash"

SRI uses cryptographic hashes to ensure third-party resources match expected content.

How it works

  • Add integrity attribute to
  • Browser downloads the resource and computes its hash.
  • If hash matches, resource loads; if not, browser blocks it.

Example

<script src="https://cdn.example.com/library.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

Benefits

  • Prevent supply chain attacks via compromised CDNs.
  • Detect unauthorized modifications to third-party scripts.
  • Meet security requirements for frameworks like PCI DSS.

Related Tools

Related Articles

View all articles
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
What is Subresource Integrity (SRI) and Why Is It Important?

What is Subresource Integrity (SRI) and Why Is It Important?

Learn how SRI protects against compromised CDNs and supply chain attacks by verifying resource integrity with cryptographic hashes.

Read article →
Can I Use SRI With Dynamic Content or Inline Scripts?

Can I Use SRI With Dynamic Content or Inline Scripts?

Learn about Subresource Integrity limitations with dynamic content, inline scripts, and practical approaches to securing dynamic resources.

Read article →
SRI Hash Algorithms: SHA-256 vs SHA-384 vs SHA-512

SRI Hash Algorithms: SHA-256 vs SHA-384 vs SHA-512

Compare SHA-256, SHA-384, and SHA-512 for SRI and learn why SHA-384 is recommended for optimal security and performance in 2025.

Read article →

Explore More Web Security

View all terms

CORS (Cross-Origin Resource Sharing)

A browser security mechanism that controls how web pages can request resources from different domains, preventing unauthorized cross-site data access.

Read more →

Cross-Site Request Forgery (CSRF)

An attack that tricks a victim into submitting unauthorized requests using their authenticated session.

Read more →

Cross-Site Scripting (XSS)

A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Read more →

HTML Entity Encoding

A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.

Read more →

HTTP Cookie

Small pieces of data stored by web browsers, used for session management, personalization, and tracking.

Read more →

HTTP Security Headers

Response headers that enable browser security protections against common web attacks.

Read more →
Back to glossary