Block Tampered Scripts. Know When It Happens.
Subresource Integrity blocks compromised third-party scripts. The Integrity-Policy header makes those blocks visible. Route violation reports to your security tools.
The Problem
Your CDN Could Be Compromised Right Now
Modern web applications load an average of 13 third-party scripts: analytics, ads, widgets, polyfills. Each one is a dependency you trust implicitly. But what happens when that trust is violated?
In June 2024, the Polyfill.io attack demonstrated the catastrophic potential of supply chain compromises. After a Chinese company acquired the popular CDN domain, they injected malicious JavaScript that affected over 380,000 websites. Victims included JSTOR, Intuit, Hulu, Mercedes-Benz, and the World Economic Forum.
The attack was sophisticated: malware only activated on mobile devices, during specific hours, and deliberately avoided developer tools. Site owners had no idea their trusted polyfill library was redirecting users to gambling scams. The original developer had warned users months before, but most never saw the warning.
This isn't isolated. In July 2024, trojanized versions of jQuery appeared on npm and jsDelivr. These were fully functional libraries with hidden form-capture malware. Your site could be loading compromised scripts right now, silently exfiltrating customer data.
The Solution
Subresource Integrity: Cryptographic Script Verification
Subresource Integrity (SRI) is a W3C security standard that lets you verify external scripts haven't been tampered with. You provide a cryptographic hash of the expected file, and the browser blocks execution if the hash doesn't match.
SRI is supported by 92.92% of browsers worldwide (Chrome 45+, Firefox 43+, Safari 11+, Edge 17+). It's a mature defense that requires no JavaScript SDK, no build process changes, and adds zero runtime overhead.
Implementation is straightforward: add an integrity attribute to your script tags with the expected
SHA-384 hash, along with crossorigin="anonymous" for CORS. Browsers automatically verify the fetched
file matches the hash before executing it.
If the Polyfill.io attack had happened on a site using SRI, browsers would have blocked the tampered script immediately. The malicious code would never have executed. Users would have been protected.
The Challenge
But SRI Failures Are Invisible
SRI blocks tampered scripts, but it doesn't tell you when it happens. When a hash mismatch occurs, the script silently fails to load. No error appears in your monitoring. No alert fires. Your site might break, but you won't know why.
Worse, you can't distinguish between a supply chain attack and a routine CDN issue. A hash mismatch could mean your users are under active attack. Or it could mean the CDN pushed a legitimate update and your hashes are stale. Without visibility, you're guessing.
PCI DSS 4.0 now requires script integrity monitoring on payment pages. Requirements 6.4.3 and 11.6.1 mandate managing all JavaScript and detecting unauthorized modifications. Compliance teams need an audit trail, but silent blocking provides no evidence.
The Integrity-Policy header solves this. This emerging standard is now supported by
over two-thirds of browsers (Chrome 138+, Edge 138+, Firefox 145+). It sends
integrity-violation reports whenever a hash check fails. Your endpoint receives the blocked URL, the
document that triggered it, and whether it was in report-only mode.
With Integrity-Policy, SRI failures become visible. You know when protection kicks in. You can distinguish attacks from configuration drift. And you have the audit trail compliance requires.
The Answer
Turn Silent Protection Into Actionable Visibility
Receive integrity-violation reports via the Reporting API. Route them to your security tools. No SDK required, just HTTP headers.
-
Immediate Alerting
- Know the moment an integrity check fails. Route violations to AppSignal, webhooks, or Google Chat instantly. Don't wait for customers to report broken features.
-
Attack vs. Configuration Error
- Distinguish between supply chain attacks and stale hashes. See exactly which scripts failed verification, from which CDN, helping you respond appropriately to each scenario.
-
Incident Response Ready
- When an integrity violation hits, you need to act fast. Automatic routing to your security tools means your incident response can begin immediately, not hours after the attack started.
-
PCI DSS 4.0 Compliance
- Meet requirements 6.4.3 and 11.6.1 with an audit trail of script integrity monitoring. Demonstrate to auditors that you're actively detecting unauthorized modifications to payment page scripts.
Ready to Monitor Integrity Violations?
Detect supply chain attacks and CDN compromises the moment they happen. Setup takes minutes.