Subresource Integrity: Protect Your Site from Compromised Third-Party Resources | Haris Ali

Table of Contents

About a year ago—before the release of the current version of visitmaldives.com—the website was compromised through a third-party JavaScript resource.

Because JavaScript has full access to the Document Object Model (DOM), anyone controlling that script can manipulate the content of a page in any way they want. In this case, the attacker replaced the contact information on the website with their own, diverting legitimate inquiries to themselves instead of the actual owner.

This attack was possible because, at the time, there was no standard way to verify the integrity of third-party resources loaded by a browser.

What Is Subresource Integrity (SRI)?

On November 12, 2015, the W3C introduced a specification called Subresource Integrity (SRI). It allows browsers to verify that the files (JavaScript, CSS, etc.) loaded from third-party sources—such as CDNs—have not been tampered with.

This is especially important today, as most modern websites rely on assets hosted across multiple origins. Using CDNs helps improve performance, but it also introduces a risk: if a CDN or external script is compromised, so is your site.

With SRI, developers can enjoy the performance benefits of CDNs without sacrificing security. It’s now widely considered a web security best practice.

How to Use Subresource Integrity

Implementing SRI is simple. You include a cryptographic hash (such as SHA-384) in the resource’s HTML tag. The browser downloads the resource, computes its hash, and only executes it if both hashes match.

Example:

<script 
  src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"
  integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS"
  crossorigin="anonymous">
</script>

If the downloaded script has been modified—even slightly—the hash won’t match, and the browser will refuse to execute it.

Browser Support

Subresource Integrity is supported in Chrome, Firefox, and Opera, but not in Internet Explorer, Edge (Legacy), or Safari.

You can check the latest browser support details on Can I Use.

Try It Yourself

To generate SRI hashes easily, visit srihash.org. It automatically computes the correct hash for your resource so you can include it safely in your site.

By adopting SRI, you can significantly reduce the risk of third-party resources compromising your website’s integrity—an essential step toward building a safer, more trustworthy web.