Skip to content

Instantly share code, notes, and snippets.

@cecilemuller
Last active Jun 14, 2021
Embed
What would you like to do?
Subresource Integrity (SRI)

Subresource Integrity (SRI)

The integrity property for scripts and stylesheets:


Example

<!-- External scripts -->
<script integrity="sha512-aaaaaaaaa" crossorigin="anonymous" src="script.js"></script>

<!-- External stylesheets -->
<link integrity="sha512-aaaaaaaaa" crossorigin="anonymous" href="styles.css" rel="stylesheet">

<!-- Inline stylesheets -->
<style integrity="style-src www.example.com 'sha512-aaaaaaaaa'">
body { ... }
</style>

Create a hash

You can have multiple hashes separated by a space, but the browser uses the highest so you might as well use only one (preferably sha-512 like Github).

Node uses crypto:

import {createHash} from "crypto";

const contents = Buffer.from("CONTENTS OF THE FILE");
const integrity = "sha512-" + createHash("sha512").update(contents).digest().toString("base64");

PHP uses hash:

$contents = file_get_contents("script.js");
$integrity = 'sha512-' . base64_encode(hash("sha512", $contents, true));

Plugins to inject integrity in HTML pages:

More tools:


@cecilemuller
Copy link
Author

cecilemuller commented Jun 5, 2021

Also related:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment