Integrity Policy - Monitoring and Enforcing the use of SRI

This has been a long time coming so I'm excited that we now have a working standard in the browser for monitoring and enforcing the use of SRI across your website assets!

SRI refresher

For those that aren't familiar, or would like a quick refresher, here's the TLDR of SRI - Subresource Integrity. When loading assets from a 3rd-party, especially JavaScript, it's a good idea to have some control over what exactly it is you're loading. A typical script tag will allow any script to load in your page, but SRI gives you the ability to make sure the JavaScript you're getting is the JavaScript you wanted... It's all done with the simple addition of an integrity attribute:

<script
src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js" 
integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo="
crossorigin="anonymous">
</script>

That integrity attribute means the browser can now download that file and check the cryptographic fingerprint of the file it downloaded matches the one that you were expecting! If the file is tampered with or modified in some way, the browser can reject it. I have a full blog post about SRI, Subresource Integrity: Securing CDN loaded assets, that I wrote more than a decade ago back in 2015!

The rise of SRI

It's no surprise that SRI has become a very popular technology. It's free to use, it's an open web standard supported across all browsers, it's unbelievably simple, and it provides invaluable protection against some quite serious threats. Helping to drive that adoption, all of the major CDN providers have been supplying their script tags with SRI attributes for years, it could have stopped some pretty serious attacks in recent history [source], and it's now even a recommended strategy in compliance standards like PCI DSS [source]. If you have existing assets that don't have SRI protection, and you'd like to add it, you can use free tools like our SRI Hash Generator to take the URL of existing assets and create an SRI compatible script or style tag. But there lies a little bit of a problem. How do you know what assets that you have across your website that are eligible to use SRI, but aren't currently using it?

Integrity Policy to the rescue!

We now have a way to effortlessly audit all of the dependencies across your application to ensure that they're using SRI. Integrity Policy is an open web standard, requires no code or agent to be deployed, and has no negative impact to speak of. It can be enabled with a single HTTP Response Header:

Integrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(default)

As you can see here, I'm using the Report-Only version of the header as it's best to start by gathering information before you consider any enforcing action. I'm setting the policy to monitor JavaScript and I'm instructing it to send telemetry to the default reporting endpoint. If you're not familiar with the Reporting API you can read my full blog post, but the summary is that you simply add a HTTP Response Header to let the browser know where to send the telemetry. This endpoint can also be used by a variety of different mechanisms so you can set it once and use it many times.

Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://helios.report-uri.com/a/t/g"}],"include_subdomains":true}

That's it! With both of those headers set, any time a browser loads one of your pages it will send an event to let you know if there is an asset being loaded without the use of SRI. As the Integrity Policy header was delivered in Report-Only mode, it will still allow the asset to load so there is no negative impact on your site. The idea here would be that you can now go and fix that problem by adding the integrity attribute to the asset, and then the events will no longer be sent.

Now in open beta!

Integrity Policy is now available on our site and is free to access for all customers during the open beta period. After announcing another brand new feature only a couple of months ago, CSP Integrity, these two features will form part of our new Integrity Suite offering that will become generally available in Q1 2026.

There's no doubt that these new capabilities are a fundamental improvement in client-side security, allowing for a level of native protection in the browser that is simply unmatched. Whilst the details we've covered in the CSP Integrity blog post, and now in this Integrity Policy blog post, are exciting, we still have a lot more to announce in the coming months!