SRI

SRI (Subresource Integrity) is an HTML5 feature that lets you pin the SHA-256/SHA-384/SHA-512 hash of an external resource. The browser computes the hash on download and refuses to execute the resource if the hashes don’t match.

Example: <script src="https://cdn.example/lib.js" integrity="sha384-AbC..." crossorigin="anonymous"></script>

What this protects against: a CDN compromise. If an attacker takes over the CDN and serves modified JavaScript, every site that includes the script via SRI refuses to run the modified version. Without SRI, every site silently gets the malicious payload.

The trade-off: pinning a hash means you can’t update the resource without updating every page that references it. For first-party assets you’re building anyway, SRI is a low-cost defence. For third-party CDN scripts (jQuery, analytics tags) it’s a meaningful security win at the cost of slower update propagation.

SRI requires crossorigin="anonymous" on the tag plus a CORS header on the CDN response — the browser needs to be able to read the response opaquely.