---
title: "What is Subresource Integrity (SRI)?"
description: "In this article: What is it?SRI with a WebappSRI Code with SSHWordPress What is Subresource Integrity (SRI)? Subresource integrity (SRI) is W3C standard that protects websites against malicious..."
url: https://www.inmotionhosting.com/support/security/subresource-integrity-sri/
date: 2019-09-04
modified: 2021-11-04
author: "InMotion Hosting Contributor"
categories: ["Security"]
type: post
lang: en
---

# What is Subresource Integrity (SRI)?

**In this article:**

- [What is it?](#what)
- [SRI with a Webapp](#webapp)
- [SRI Code with SSH](#checksum)
- [WordPress](#wordpress)

## What is Subresource Integrity (SRI)?

Subresource integrity (SRI) is W3C standard that protects websites against malicious modifications to JavaScript and CSS libraries hosted externally on content delivery networks (CDNs) for the fastest delivery possible. The most popular examples are Jquery and Bootstrap.

We’ll use the [Bootstrap 4.3.1](https://getbootstrap.com/docs/4.3/getting-started/introduction/) CSS `src` link for our examples throughout this article. Imagine your website uses the Bootstrap CSS snippet below:

`<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">`

Now imagine someone gains authorized access to that CDN storage location. The infected package could now steal users’ info, redirect links to include multiple targets destinations, initiate denial-of-service (DOS) attacks, and more.

This is what subresource integrity (SRI) prevents by adding an `integrity` attribute with the checksum (synonymous with hash and digital fingerprint) and specified algorithm for the authentic package alongside the source URL. This directs the web browser to compare the source URL’s checksum to the given checksum and **only load it if they match**. Include the `crossorigin` attribute to direct browsers to complete this action without cookies.

To apply SRI to our example, we’d add the following attributes for a SHA384 checksum:

- integrity=”sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T”
- crossorigin=”anonymous”

If we added SRI with SHA384 to our CSS example above:

```

```

**Note:**The Bootstrap Getting Started guide includes SRI with SHA384 by default.<

**Warning:** Do not simply copy any code from this article in to your website. Visit [GetBootstrap](https://getbootstrap.com/)[.com](https://getbootstrap.com/) and create a checksum yourself to ensure you’re not adding malware.

SRI usage requires that the user’s browser User-agent support SHA-256, SHA-384, and SHA-512 hash functions. An User-agent may not support the weaker MD5 and SHA-1 algorithms.

You can also add multiple algorithms for forward-compatibility with newer cryptographic algorithms. In such cases, the strongest supported hash would be used. For example, below you’ll see a SHA512 checksum following the SHA384:

```

```

In the future, SRI may expand to support audio/visual files which would be helpful for [live broadcasters](https://www.inmotionhosting.com/support/edu/live-broadcasting/) with self-hosted podcasts.

Below we cover how to implement subresource integrity (SRI) in websites using external libraries.

## Web App

Users without SSH access can use free web applications to ease the process.webappVisitUsers without SSH access can use free web applications to ease the process.

1. Visit [SRIhash.org](https://www.srihash.org/).
2. Paste the library `src` URL and click **Hash!**
3. [Edit your index file](/support/website/how-to-edit-a-file/).
4. Paste the full script code provided within your website `<head>` section.
5. Test your SRI integration at [observatory.mozilla.org](https://observatory.mozilla.org/).

## Create a Checksum in SSH

Advanced users can use [a local computer terminal](/support/security/create-checksum-locally/) or [web server SSH](/support/security/verify-checksums-ssh/) to create a checksum. If the library is hosted on an external server, you’ll need to use the `curl` command below.

1. [Log in to SSH](/support/server/ssh/do-you-provide-ssh-access/) or [cPanel Terminal](/support/edu/cpanel/how-to-launch-the-cpanel-terminal/).
2. Run the following command, replacing *url-to-filename* with the source URL (`&& echo` forces the checksum shows to a new line): `curl -s https://*url-to-filename* | openssl dgst -sha384 -binary | openssl base64 -A ``&& echo`
3. (Optional) To get a SHA512 checksum or stronger, simple replace `;-sha384` with your preferred algorithm:`curl -s https://url-to-filename | openssl dgst -sha512 -binary | openssl base64 -A ``&& echo`
4. Add the following after the `src` URL: `integrity="sha384-*checksum-from-code*" crossorigin="anonymous"`

So you don’t have to scroll up, our example from above:

```

```

## WordPress

As of now, WordPress doesn’t have a native ability to add SRI . There’s an official WordPress [Trac ticket](https://core.trac.wordpress.org/ticket/33948) regarding its possible implementation. For now, WordPress users should check out the [Subresource Integrity (SRI) Manager plugin](https://www.inmotionhosting.com/support/edu/wordpress/subresource-integrity-sri-wordpress/) for compliance.

Looking for an in-depth security solution? Check out the [Sucuri](https://sucuri.net/lp/promo/inmotion/?clickid=2q13a3S7QxyLT9tQy%3ASR0UvEUkBWzkx6hTDQUQ0) web application firewall (WAF), or ask about our security features on [VPS Hosting](https://www.inmotionhosting.com/vps-hosting).
