This free service allows software developers to scan websites for Subresource Integrity (SRI) hashes.
SRI hashes can protect visitors from browser exploits, denial of service attacks, cookie stealing and other harmful actions.
The benefit of using CDNs to visitor experience is great. Providers host the assets from datacenters around the globe with good network connections. As a result, webpages load quicker into the visitors' browsers. Also, the uptime of a typical CDN is close to 100%.
Another example is from 2014, where jQuery's CDN was compromised according to RiskIQ. Although jQuery did not confirm the unauthorized modification of the hosted library, the case highlights the problem with blind trust in these third-parties.
The solution to confirm the integrity of third-party assets with cryptographic hash named Subresource Integrity (SRI) hash. This hash format has been standardized by W3C and function similarly to the well-known MD5 or SHA hashes.
To protect third-party hosted assets is relatively straightforward. First, we need to generate the SRI hash of the asset. Then we append calculated SRI values to the asset tags like the following:
When the website visitor's browser downloads the remote asset from the CDN, the browser will verify the hash listed in the tags.
The reason sritest.io was born is to foster the implementation of SRI. I encourage every website developer to consider adding SRI hashes to each supported asset.
I am a security consultant based in the United Kingdom.
I have experience with architectural design, policy- and risk management, and incident management. I have also been dealing with application security, vulnerability management, and event log management for a long time. I love to develop software in my free time.
Check out my blog for more interesting projects.