integrity tag

Overview

An integrity tag, in the context of obfuscation, refers to a specific mechanism used to verify that a script or resource has not been tampered with during delivery or execution. It is typically implemented using cryptographic checksums or hashes, such as SHA-256, to ensure that the content remains unchanged from its original state. This concept is often used in conjunction with Content Security Policy (CSP) directives or as part of a broader anti-tampering strategy.

Developers use integrity tags when they need to enforce that external scripts or resources are authentic and have not been modified by an attacker. For example, when including a third-party library from a CDN, an integrity tag can be added to the script element to validate the hash of the script before execution. This helps prevent malicious actors from injecting code into a website by replacing legitimate resources with compromised versions.

integrity tag developer glossary illustration

Why It Matters

Integrity tags are crucial for maintaining security in web applications. Without them, a malicious actor could replace a legitimate script with a compromised one, potentially leading to data breaches, cross-site scripting (XSS), or other security vulnerabilities. By validating the integrity of resources, developers can significantly reduce the risk of such attacks.

Additionally, integrity tags are important for compliance with security standards such as OWASP Top 10 and NIST guidelines, which emphasize the need for input validation and resource integrity checks. In production environments, integrity tags are often part of a broader defense-in-depth strategy, where multiple layers of security are implemented to protect against various threats.

How It Works

The integrity tag mechanism works by generating a cryptographic hash of a resource, such as a JavaScript file, and embedding that hash in a policy or attribute. When the browser loads the resource, it recomputes the hash and compares it to the embedded value. If they match, the resource is allowed to execute; otherwise, it is blocked.

The integrity tag is typically implemented using the integrity attribute on HTML elements like <script> or <link>.
The hash algorithm used is usually SHA-256, though SHA-384 and SHA-512 are also supported.
The value of the integrity attribute is a base64-encoded string of the hash, prefixed with the algorithm used (e.g., sha256-).
If a resource fails the integrity check, the browser will block its execution and log an error to the console.
Integrity tags are not a replacement for other security measures but are a critical component in a layered approach to security.

Quick Reference

Item	Purpose	Notes
`integrity` attribute	Verifies resource authenticity	Must be used with `<script>` or `<link>`
Hash algorithms	Specify the hashing method	SHA-256, SHA-384, SHA-512 supported
Base64 encoding	Format of the integrity value	Required for valid integrity tags
Browser behavior	Resource execution	Blocked if hash mismatch occurs
Security context	Prevents tampering	Complements CSP and other protections

Basic Example

This example shows how to add an integrity tag to a script element using SHA-256.

<script src="https://cdn.example.com/library.js" integrity="sha256-abc123def456ghi789jkl012mno345pqr678stu901vwx" crossorigin="anonymous"></script>

The integrity attribute contains a base64-encoded SHA-256 hash of the script. The crossorigin attribute is used to ensure the browser fetches the resource with credentials, which is required for integrity checks.

Production Example

This example demonstrates a production-ready implementation that includes error handling and validation.

<script src="https://cdn.example.com/library.js" integrity="sha256-abc123def456ghi789jkl012mno345pqr678stu901vwx" crossorigin="anonymous"></script>
<link rel="stylesheet" href="https://cdn.example.com/style.css" integrity="sha256-xyz789uvw012opqrs345tuv678wxy901zab234cde56f">

This version includes both script and stylesheet resources with integrity tags. It is suitable for production because it enforces resource authenticity and is compatible with CSP policies. The use of crossorigin ensures that the browser correctly handles the integrity check for cross-origin resources.

Common Mistakes

Not using the crossorigin attribute with external scripts, which can cause integrity checks to fail.
Using outdated or insecure hash algorithms like MD5 or SHA-1, which are vulnerable to collision attacks.
Forgetting to update the integrity hash when a resource is updated, leading to blocked resources in production.
Applying integrity checks only to scripts and ignoring stylesheets or other resources, which leaves gaps in security.
Assuming that integrity tags alone are sufficient to prevent all security issues, ignoring the need for additional protections like CSP.

Security And Production Notes

Always use SHA-256 or stronger algorithms for integrity checks to ensure resistance to collision attacks.
Update integrity hashes whenever a resource is modified to prevent execution of outdated or compromised code.
Ensure that the crossorigin attribute is used with external scripts to enable proper integrity validation.
Integrity tags should be part of a broader security strategy that includes CSP, input validation, and secure coding practices.
Monitor browser console logs for integrity check failures in production to detect potential tampering or misconfigurations.

Related Concepts

Several concepts are closely related to integrity tags, including Content Security Policy (CSP), which provides a framework for controlling resource loading; Cross-Origin Resource Sharing (CORS), which governs how resources are fetched across domains; and cryptographic hashing, which underpins the integrity check mechanism. Additionally, the concept of resource validation is important in broader web security practices, and integrity tags are often used in conjunction with these concepts to provide a layered defense against tampering and injection attacks.