
Subresource Integrity (SRI) is a security feature that protects web applications from cross-site scripting (XSS) attacks by ensuring that the resources loaded by a webpage, such as scripts and stylesheets, are delivered from the intended source.
The primary goal of SRI is to prevent an attacker from serving malicious content to a user's browser by intercepting the request and serving a tampered version of the resource.
To achieve this, SRI uses a hash value, also known as a digital fingerprint, to verify the integrity of the resource. This hash value is included in the HTML tag of the resource, and the browser checks it against the expected hash value when the resource is loaded.
The hash value is typically generated using algorithms like SHA-256 or SHA-384, which produce a unique string of characters for each resource.
How It Works
Subresource Integrity is a security feature that ensures the integrity of external resources, like scripts and stylesheets, that are loaded by your webpage. It does this by checking the hash of the resource against a expected hash, which is stored in the webpage's code.
If the hash doesn't match, the resource won't load, preventing malicious code from executing. This is because any small change in a file completely changes its corresponding SHA hash, making it virtually impossible to have hash collisions with SHA-256 and higher.
Here are some examples of how Subresource Integrity is used:
- An author uses Subresource Integrity to ensure that a content delivery network (CDN) delivers only the expected code.
- An author includes JavaScript provided by a third-party analytics service, ensuring that only carefully reviewed code is executed.
- A user agent uses Subresource Integrity to prevent manipulated JavaScript code from running in high-privilege HTML contexts.
Why Hashing Works
Hashing is a crucial part of Subresource Integrity (SRI), and it works by creating a unique digital fingerprint of a resource. This fingerprint, also known as a hash, is used to verify the integrity of the resource.
Any small change in a file completely changes its corresponding SHA hash, making it virtually impossible to have hash collisions with SHA-256 and higher. This means that even a single character change in a file will result in a completely different hash.
To understand why hashing works, let's consider an example. Imagine a JavaScript file hosted on a third-party server that you included in your webpage with SRI enabled. If an attacker were to modify the file's data with malicious code, the hash of it would no longer match the expected hash, and the file would not execute.
On a similar theme: Integration for Email That Works with Applied Epic
Here's a table summarizing the lengths of each SHA hash:
This table shows the lengths of each SHA hash, which is essential for generating the correct hash for your resources. For example, if you're using SHA-384, you'll need to trim all but the first 96 characters of the string that is piped into the head -c 96 command.
Cross-Origin Resource Sharing
Cross-Origin Resource Sharing is a security feature that ensures resources can be shared between different origins. This is done by checking the Access-Control-Allow-Origin header in the resource's response.
To enable CORS, a resource must be served with an Access-Control-Allow-Origin header that allows the resource to be shared with the requesting origin. This header must be set by the server, not the client.
Take a look at this: Integrated Access Device
Security and Best Practices
To ensure the security of your application, it's essential to use HTTPS when implementing SRI. This is because SRI only works over HTTPS.
Regularly updating hashes is crucial when updating resources. This ensures that the fetched resources are exactly what the developer intended.
Using SRI protects against malicious content injected into third-party resources, safeguarding your application from external threats.
Why Use?
Using security best practices is crucial to protect your application from external threats.
Using SRI, or Subresource Integrity, offers several benefits.
Security is a top priority, and SRI helps by protecting against malicious content injected into third-party resources.
Integrity is also ensured, so you can be sure the fetched resources are exactly what the developer intended.
This builds user trust, safeguarding your application from external threats and giving users peace of mind.
Discover more: In Relation to Email Security What Does Integrity Mean
Best Practices
Always use HTTPS with SRI, as it only works over HTTPS. This is a crucial step to ensure the security of your application.
To keep your resources secure, regularly update hashes whenever you update your resources. This will prevent old hashes from being used to load compromised resources.
Using SRI offers several benefits, including security, integrity, and trust. By safeguarding your application from external threats, you can build user trust and ensure a secure browsing experience.
Hashing works for SRI because any small change in a file completely changes its corresponding SHA hash. This makes it virtually impossible for attackers to modify a file without being detected.
Intriguing read: Azure File Integrity Monitoring
The "crossorigin" attribute is required with subresource integrity to prevent cross-origin attacks. By including this attribute, you ensure that the cross-origin domain must choose to allow requests from your origin, making it more difficult for attackers to load cross-origin resources en masse.
By implementing SRI, you can ensure that only the intended version of the resource is loaded, blocking any altered versions. This provides an additional layer of security and integrity to your application.
Tools and Technologies
The SRI Hash Generator is an online tool you can use to generate SRI hashes.
You can also create a tool for generating SRI hashes in a Windows environment using a specific code.
The SRI Hash Generator is a convenient way to ensure the integrity of your resources, but it's not the only option available.
For instance, you can create a custom tool using the provided code to generate SRI hashes on your own machine.
The SRI Hash Generator is a simple online tool, but it gets the job done.
This code can be used to create a more robust solution that meets your specific needs.
Handling Violations and Attacks
If a resource fails an integrity check, the user agent will refuse to render or execute it, instead returning a network error.
This means that even if an attacker tries to serve a tampered version of your resource, the browser will catch on and prevent it from loading.
Developers can catch the error event that's fired when a resource fails an integrity check and provide a handler to replace the failed resource with a trusted one.
By implementing Subresource Integrity (SRI), you can ensure that only the intended version of a resource is loaded, blocking any altered versions that might be used to launch an attack.
Frequently Asked Questions
When to use subresource integrity?
Use subresource integrity (SRI) when loading external JavaScript or stylesheet resources over HTTPS to ensure their authenticity and prevent tampering. This is especially important when using CDNs, which must also enable CORS with the Access-Control-Allow-Origin header.
Featured Images: pexels.com


