Subresource Integrity & Supply Chain Hardening
Every CDN-hosted library, every npm package, every third-party widget is a potential
injection vector. A single compromised CDN edge node or maintainer account can silently
backdoor millions of sites — bypassing traditional perimeter defences by exploiting the
implicit trust modern apps extend to upstream registries and delivery networks.
Subresource Integrity (SRI) is the browser’s answer: embed a base64-encoded
cryptographic hash in your <script> or <link> tag, and the browser refuses to
execute any resource whose bytes don’t match — no exceptions.
This reference covers the complete supply chain hardening stack:
- Hash algorithms — SHA-256 vs SHA-384 vs SHA-512, collision resistance, and how browsers verify
- Build-time automation — generating and injecting hashes in Webpack 5 and Vite pipelines
- CDN trust mapping — per-origin SRI policies, jsDelivr and unpkg pinning, and cross-origin resource sharing rules
- Dynamic loading — keeping integrity checks intact when scripts, ES modules, and import maps load at runtime
- Dependency auditing — lockfile analysis, CycloneDX SBOMs, Sigstore provenance, continuous monitoring, and vulnerability triage
- Runtime policy enforcement — CSP nonces and hash-based policies, Trusted Types for DOM XSS, and violation telemetry that layer on top of SRI
Start with Core SRI Fundamentals if you’re new to the topic, or jump straight to the section most relevant to your current work. Once you have SRI in place, Runtime Policy Enforcement & Trusted Types shows how to combine it with Content Security Policy and Trusted Types for defense in depth.
Explore Topics
Core SRI Fundamentals & Browser Security Boundaries
Cryptographic hash algorithms, browser enforcement mechanics, Content Security Policy integration, stylesheet and web-font integrity, and graceful fallback strategies for Subresource Integrity.
ExploreAsset Hashing & Dynamic Script Injection
Static asset hash generation, CDN trust mapping, Webpack and Vite integration, ES module and import-map integrity, and secure dynamic script loading patterns.
ExploreSupply Chain Auditing & Dependency Verification
Lockfile mapping, automated SBOM generation, provenance verification, dependency pinning, continuous monitoring, third-party risk assessment, and vulnerability tracking.
ExploreRuntime Policy Enforcement & Trusted Types
Content Security Policy nonces and hash-based policies, Trusted Types for DOM XSS prevention, coordinating SRI with CSP and Trusted Types, and violation telemetry via the Reporting API.
ExploreStart Here
The highest-impact pages for engineers new to SRI and supply chain hardening.