Security Reference Guide

Subresource Integrity & Supply Chain Hardening

A comprehensive technical reference for frontend and backend engineers, security teams, and DevOps. Master SRI, hash generation, CDN trust mapping, dependency auditing, and supply chain verification.

Every CDN-hosted library, every npm package, every third-party widget is a potential injection vector. A single compromised CDN edge node or maintainer account can silently backdoor millions of sites — bypassing traditional perimeter defences by exploiting the implicit trust modern apps extend to upstream registries and delivery networks.

Subresource Integrity (SRI) is the browser’s answer: embed a base64-encoded cryptographic hash in your <script> or <link> tag, and the browser refuses to execute any resource whose bytes don’t match — no exceptions.

This reference covers the complete supply chain hardening stack:

  • Hash algorithms — SHA-256 vs SHA-384 vs SHA-512, collision resistance, and how browsers verify
  • Build-time automation — generating and injecting hashes in Webpack 5 and Vite pipelines
  • CDN trust mapping — per-origin SRI policies, jsDelivr and unpkg pinning, and cross-origin resource sharing rules
  • Dynamic loading — keeping integrity checks intact when scripts, ES modules, and import maps load at runtime
  • Dependency auditing — lockfile analysis, CycloneDX SBOMs, Sigstore provenance, continuous monitoring, and vulnerability triage
  • Runtime policy enforcement — CSP nonces and hash-based policies, Trusted Types for DOM XSS, and violation telemetry that layer on top of SRI

Start with Core SRI Fundamentals if you’re new to the topic, or jump straight to the section most relevant to your current work. Once you have SRI in place, Runtime Policy Enforcement & Trusted Types shows how to combine it with Content Security Policy and Trusted Types for defense in depth.

Explore Topics

Start Here

The highest-impact pages for engineers new to SRI and supply chain hardening.

How to Calculate SHA-256 vs SHA-384 for SRI
Configuring Content Security Policy with SRI
Automating Hash Generation in Webpack 5
Verifying Sigstore Provenance for npm Packages
Implementing Dynamic Script Loaders with Integrity

All Articles