A comprehensive, free technical reference for securing the modern web supply chain — subresource-integrity.com
Every CDN-hosted library, every npm package, and every third-party widget is a potential injection vector. A single compromised CDN edge node or maintainer account can silently backdoor millions of sites. This site is the reference that shows engineers exactly how to shut that door — from a single integrity hash to a full defense-in-depth policy stack.
👉 Read it live: www.subresource-integrity.com
Most SRI documentation stops at "add an integrity attribute." Real production systems need far more: deterministic hashing across build tools, CDN trust mapping, dependency provenance, and browser-side policy enforcement that layers on top of SRI. This site covers the complete stack, with copy-pasteable, production-ready examples and verification steps on every page.
- Core SRI fundamentals — SHA-256 vs SHA-384 vs SHA-512, browser enforcement mechanics, CORS and opaque-response edge cases, Content Security Policy integration, stylesheet and web-font integrity, and graceful fallback strategies.
- Asset hashing & dynamic script injection — automated hash generation in Webpack 5 and Vite, CDN trust mapping (jsDelivr, unpkg), ES module and import-map integrity, and keeping integrity checks intact for runtime-injected scripts.
- Supply chain auditing & dependency verification — lockfile analysis, CycloneDX SBOM generation, Sigstore provenance verification, dependency pinning, continuous monitoring, third-party risk scoring, and vulnerability triage mapped to PCI DSS.
- Runtime policy enforcement & Trusted Types — CSP nonces and hash-based policies, Trusted Types for DOM-XSS prevention, coordinating SRI + CSP + Trusted Types into defense in depth, and violation telemetry via the Reporting API.
Every page ships with a hand-authored diagram, structured data, real error signatures with fixes, and compliance mapping (PCI DSS v4.0.1, SOC 2, ISO 27001, NIST).
Frontend and backend engineers, security engineers, DevOps/platform teams, and compliance owners who need authoritative, implementation-ready guidance on integrity and supply-chain controls.
- Eleventy (11ty) — static site generator
- Hand-authored, theme-aware inline SVG diagrams (no runtime charting)
- Progressive enhancement — the site is fully readable and navigable without JavaScript
- Deployed on Cloudflare Pages
npm install
npm run build # build the static site into _site/
npm start # serve locally with live reloadCorrections, clearer explanations, and new real-world examples are welcome. Open an issue or pull request describing the change. Keep code examples production-ready and prefer SHA-384 as the default algorithm to match industry norms.
Content is provided as a free educational reference. Please link back to subresource-integrity.com when quoting substantial sections.
Maintained by @subresource-integrity · www.subresource-integrity.com