Overview
An integrity manifest is a structured metadata document used in web security to define and validate the expected integrity of resources, particularly in contexts involving obfuscation, code transformation, and content delivery. It serves as a cryptographic verification layer that ensures resources have not been tampered with since they were originally packaged or deployed.
In the context of obfuscation, an integrity manifest typically accompanies transformed or minified JavaScript, CSS, or other assets. It is used to verify that the resource has not been altered in transit or by malicious actors, even if the original code has been obfuscated or encoded. The manifest is not a standalone mechanism but is integrated into deployment workflows, build systems, or content security policies.
Why It Matters
For developers, integrity manifests are essential in environments where obfuscation or code transformation is used. They provide a mechanism to validate that resources remain intact and unmodified, which is critical in preventing attacks such as man-in-the-middle tampering or unauthorized modifications. In production, integrity manifests help ensure that the code running in a user's browser matches what was intended by the developer.
Without integrity manifests, obfuscated code may be more vulnerable to tampering or injection attacks. This is particularly relevant in systems where obfuscation is used to protect intellectual property or to hinder reverse engineering. The manifest acts as a verification step that can be integrated into build pipelines, security policies, or runtime checks.
How It Works
An integrity manifest is typically generated during the build or packaging phase of a web application. It contains cryptographic hashes of resources and metadata about their expected state. The manifest is then either embedded in the HTML, loaded as a separate resource, or referenced through a Content Security Policy (CSP) directive.
- Manifests are usually generated using cryptographic algorithms such as SHA-256 or SHA-384 to compute a hash of the resource content.
- The manifest can be structured as a JSON document or a custom format depending on the implementation.
- It is typically used in conjunction with integrity attributes on
<script>or<link>tags to enforce verification at runtime. - Manifests can be versioned or updated as part of a deployment pipeline to track changes across builds.
- Validation of the manifest can occur at runtime, during loading, or as part of a pre-flight security check in a build process.
Quick Reference
| Item | Purpose | Notes |
|---|---|---|
| Hash algorithm | Computes integrity checksum | SHA-256 or SHA-384 recommended |
| Manifest structure | Defines resource metadata | JSON or custom format |
| Integrity attribute | Enforces verification | Used on <script> or <link> |
| Runtime validation | Checks resource integrity | Performed by browser or runtime |
| Build integration | Automated manifest generation | Part of CI/CD pipeline |
Basic Example
This example demonstrates a basic integrity manifest structure in JSON format, used to validate a script resource.
{
"resources": {
"main.js": {
"integrity": "sha384-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567"
}
}
}The integrity value is a base64-encoded hash of the script content. When used in HTML, it ensures that the browser will reject the script if its content changes.
Production Example
In a production environment, an integrity manifest is often generated by a build tool and used in a Content Security Policy to enforce resource integrity.
<script src="main.js" integrity="sha384-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567"></script>
<link rel="manifest" href="manifest.json">This version includes both inline integrity checks and a manifest file reference. It is suitable for production because it ensures that resources are verified at runtime and can be updated as part of a controlled deployment process.
Common Mistakes
- Not updating the manifest when resources change, leading to runtime failures or security bypasses.
- Using weak cryptographic algorithms like MD5 or SHA-1, which are vulnerable to collision attacks.
- Ignoring the manifest during deployment, which can lead to outdated or incorrect integrity checks.
- Failing to validate the manifest in CI/CD pipelines, causing undetected tampering in production.
- Storing the manifest in a location that is accessible to unauthorized users, potentially exposing the integrity values.
Security And Production Notes
- Always use strong cryptographic hashes like SHA-384 or SHA-512 to prevent collision attacks.
- Integrity manifests should be validated in the build pipeline, not just at runtime.
- Store manifests in secure locations and avoid exposing them to public access.
- Use the integrity attribute on all external resources to enforce verification.
- Consider integrating manifest validation into Content Security Policy (CSP) directives for enhanced protection.
Related Concepts
Several related concepts are closely tied to integrity manifests, including Content Security Policy (CSP), cryptographic hashing, resource integrity checks, obfuscation frameworks, and build automation tools. CSP, for example, often relies on integrity manifests to enforce resource validation. Cryptographic hashing is the core mechanism behind manifest integrity, while obfuscation frameworks may generate or require manifests to ensure code integrity after transformation.