Skip to content

subresource-integrity/subresource-integrity.com

Repository files navigation

Subresource Integrity & Supply Chain Hardening

A comprehensive, free technical reference for securing the modern web supply chain — subresource-integrity.com

Every CDN-hosted library, every npm package, and every third-party widget is a potential injection vector. A single compromised CDN edge node or maintainer account can silently backdoor millions of sites. This site is the reference that shows engineers exactly how to shut that door — from a single integrity hash to a full defense-in-depth policy stack.

👉 Read it live: www.subresource-integrity.com

Why this exists

Most SRI documentation stops at "add an integrity attribute." Real production systems need far more: deterministic hashing across build tools, CDN trust mapping, dependency provenance, and browser-side policy enforcement that layers on top of SRI. This site covers the complete stack, with copy-pasteable, production-ready examples and verification steps on every page.

What it covers

  • Core SRI fundamentals — SHA-256 vs SHA-384 vs SHA-512, browser enforcement mechanics, CORS and opaque-response edge cases, Content Security Policy integration, stylesheet and web-font integrity, and graceful fallback strategies.
  • Asset hashing & dynamic script injection — automated hash generation in Webpack 5 and Vite, CDN trust mapping (jsDelivr, unpkg), ES module and import-map integrity, and keeping integrity checks intact for runtime-injected scripts.
  • Supply chain auditing & dependency verification — lockfile analysis, CycloneDX SBOM generation, Sigstore provenance verification, dependency pinning, continuous monitoring, third-party risk scoring, and vulnerability triage mapped to PCI DSS.
  • Runtime policy enforcement & Trusted Types — CSP nonces and hash-based policies, Trusted Types for DOM-XSS prevention, coordinating SRI + CSP + Trusted Types into defense in depth, and violation telemetry via the Reporting API.

Every page ships with a hand-authored diagram, structured data, real error signatures with fixes, and compliance mapping (PCI DSS v4.0.1, SOC 2, ISO 27001, NIST).

Who it's for

Frontend and backend engineers, security engineers, DevOps/platform teams, and compliance owners who need authoritative, implementation-ready guidance on integrity and supply-chain controls.

Built with

  • Eleventy (11ty) — static site generator
  • Hand-authored, theme-aware inline SVG diagrams (no runtime charting)
  • Progressive enhancement — the site is fully readable and navigable without JavaScript
  • Deployed on Cloudflare Pages

Local development

npm install
npm run build     # build the static site into _site/
npm start         # serve locally with live reload

Contributing

Corrections, clearer explanations, and new real-world examples are welcome. Open an issue or pull request describing the change. Keep code examples production-ready and prefer SHA-384 as the default algorithm to match industry norms.

License & usage

Content is provided as a free educational reference. Please link back to subresource-integrity.com when quoting substantial sections.


Maintained by @subresource-integrity · www.subresource-integrity.com

About

A comprehensive, free technical reference for Subresource Integrity (SRI) and web supply-chain hardening — hash generation, CDN trust mapping, CSP & Trusted Types, SBOMs, dependency provenance, and vulnerability triage.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors