What is Subresource Integrity (SRI)

Today’s websites integrate code and content from dozens of third-party service providers - user analytics, marketing tags, CDNs, third-party JavaScript libraries, and so on. A significant portion of this content comprises executable scripts with direct security impact on the website. Subresource Integrity (SRI) is a security standard that lets developers ensure that only trusted code runs in the user’s browser.

How does Subresource Integrity (SRI) work?

SRI is the only way to prevent client-side attacks, like Magecart, that take place through code injection.

SRI essentially lets web developers include a hash of the code that will be included when the script resource is fetched. If the specified hash does not match the calculated hash when the code is fetched, the script is not allowed to execute. SRI and the integrity attribute make sure that the resource you linked into a page never changes. And if it does change, then the browser will reject it. SRI is the only way to prevent client-side attacks, like Magecart, that take place through code injection.

Prerequisites for enabling SRI:

  1. The end server where the script is served from has to be CORS enabled.
  2. The code should not change too frequently or be based on dynamic URL parameters.
  3. Hashes can only be enabled for scripts that are embedded by the developer of the website. However, enforcing SRI on scripts that are loaded dynamically (4th party) is not possible.
subresource-integrity-sri-tala

Examples of Subresource Integrity (SRI)

A sample application of SRI is illustrated below:

<script src="https://mywebsite.com/script-framework.js" integrity="sha384 rfDwQgCBLzy8djasXR7ctlA4dE1HaH7L/ast5es1KLAjJTl2pTxRja2zc2TaT7qX"
crossorigin="anonymous">
</script>

  • ‘integrity’: is a base64 encoded hash value of the script’s content as expected by the app
    • Hash types supported:
      • SHA256
      • SHA384
      • SHA512
  • ‘crossorigin’:
    • The end server must allow CORS in order to enforce SRI
    • The browser makes a preflight request to ensure CORS
    • The end server must respond with ‘Access-Control-Allow-Origin’ header
    • If not, SRI can’t be enforced on the resource
  • If the integrity calculated by the browser during the runtime doesn’t match the provided integrity, the script will be blocked from execution

Subresource Integrity (SRI) Use Cases

Here are two examples on real world uses of Subresource Integrity (SRI)

Example 1 - Blocking unverified scripts from third party sources

<script src="https://myanalytics.com/script-example.js" integrity="sha384-fjBcQcXzJxy8fdgcCY5uykM6+R9GqQ8K/uxy9rx7JVA2HLl1kCzTjo1cx2GwY8xH" crossorigin="anonymous"></script>

This instructs the browser that before loading the script from "https://myanalytics.com/script-example.js", the browser should check if the script matches the expected hash specified and block the execution if this doesn’t match.

Example 2 - Blocking unverified code from CDNs

<link rel="stylesheet" href="https://thirdparty.example.net/style.css"
integrity="sha384-+/B7jarsHayaftladNMhLPcqaGa3F/KRdSAQaACyJPaTGIbNPQRTae452CUgA2aC" crossorigin="anonymous">

This instructs the browser to deliver code from the CDN that matches the expected hash value so that any malicious code inserted by compromising the CDN is not inserted into the website.

illustration-inventory-control-analytics-vertical

How to Automate SRI

Automating SRI is possible with Tala's Web Application Runtime Protection (WARP)

There are two common challenges in implementing SRI hashes:

  • Finding scripts that are eligible for hashing can be difficult
  • A dynamic codebase can also make it difficult to maintain hashes

Here’s how Tala’s WARP automates SRI:

Step 1: Discover all first party and third party scripts running on your website through Tala’s patented App Analysis Engine.

Step 2: Discover security-relevant behaviors of every script running on your website - whether they are CORS enabled, dynamically loaded or have access to sensitive information on your website. This information identifies which scripts are hashable.

Step 3: Tala’s SRI automation enforces hashes for identified scripts within minutes. The user can enable/disable hashes for individual scripts, if desired.

Step 4: Tala’s continuous monitoring alerts you for all SRI violations detected on your web application, in real-time.

Subresource Integrity (SRI) with Tala

Control Risk. Manage Trust.

Tala provides real time visibility into the scripts running on the web application and continuously monitors the scripts for changes. Implementing SRI manually can be administratively complex and time consuming for security teams. In addition, since websites operate dynamically and are upgraded regularly, this requires continuous adjustment to SRI hashes. Errors in implementing SRI could end up breaking the website.

Tala completely automates the process of hash generation, implementation, alerting and incident management. Website attacks are prevented in real time, website performance is preserved and the need for costly and continuous administration, remediation or incident response is minimized.

Is your website secure?

Request a free website analysis to find out.