Subresource Integrity (SRI)
One-line relationship: SRI hash-pins a third-party script or stylesheet at the moment you decide to trust it — the direct defense against Magecart-style supply-chain compromise and formjacking, where the attacker never touches your servers at all.
What it is
Every time a page loads <script src="https://cdn.example.com/lib.js">, it’s trusting that CDN — today, and every time it changes — to serve exactly what it served when you tested it. That trust is the entire attack surface of a supply-chain compromise: an attacker who breaches the CDN (or a compromised npm dependency it bundles) can silently modify the script, and every site loading it starts running attacker code with zero changes to their own servers or codebase. This is precisely how Magecart attacks work, and formjacking — a script quietly skimming card and credential fields as the user types — is the most common payload.
SRI closes the gap by pinning the content, not just the URL:
<script
src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous">
</script>The browser hashes the script as delivered and compares it to the integrity attribute before executing anything. One byte of difference — a real edit, or a tampered CDN response — and the hash changes completely; the browser refuses to run the script at all.
Try it — hash-pin live
Third-party script content
The lesson: Subresource Integrity hash-pins a third-party script at the moment you trust it. Even one byte of tampering — a compromised CDN, a Magecart-style supply-chain injection — changes the hash completely, and the browser will refuse to execute a script whose integrity attribute doesn't match what was actually served. It doesn't stop the tamper from happening upstream; it stops the tampered script from ever running in your users' browsers.What SRI doesn’t cover
SRI protects a script you load with a <script src> tag and an integrity attribute you set at deploy time. It doesn’t help if:
- The script is loaded dynamically without an
integrityattribute (common in ad-tech and analytics snippets — check these first). - You’re pulling from a source that changes legitimately and frequently (auto-updating CDNs) — you’d have to re-pin on every release, which many teams skip, defeating the point.
What to take to the client
Any third-party script running on an authenticated banking page — analytics, chat widgets, A/B testing tools — is a supply-chain risk equal to code you wrote yourself, because the browser can’t tell the difference in privilege. SRI is cheap insurance against exactly the class of attack (Magecart, formjacking) that doesn’t show up in a normal pentest of your code, because your code was never the compromised part.