What is Subresource Integrity (SRI)?

1. What Is Subresource Integrity (SRI)?

Subresource Integrity (SRI) is a security feature that allows a web browser to verify that a file it fetches from a third-party server (like a CDN) has not been tampered with. It works by having the website owner provide a cryptographic hash (a unique fingerprint) of the file they expect to load. The browser then downloads the file, calculates its own hash, and compares it to the one provided. If they don't match, the browser refuses to execute the file.

2. Why Is It Important?

Many websites use Content Delivery Networks (CDNs) to load popular libraries like jQuery, Bootstrap, or Google Fonts. This is great for performance, but it introduces a security risk: what if the CDN gets hacked? An attacker could modify the JavaScript file to steal user data or display malicious content. SRI protects against this by ensuring that the file loaded by your users is the exact same one you intended to use, bit for bit.

3. How Are People Affected If It's Not There?

Without SRI, a website is placing complete trust in its third-party providers. If one of those providers is compromised: * User Data Can Be Stolen: A modified JavaScript file could record user keystrokes, steal login credentials, or scrape personal information from a form. * Malicious Content Can Be Injected: An attacker could deface the website, show unwanted ads, or redirect users to scam websites. * Loss of Trust: A security breach originating from a trusted third-party library can severely damage a brand's reputation. SRI is a simple and effective defense against this entire class of attack.