security.sri
- Type:
- Default:
undefined - Version:
>= 0.7.3
Adding an integrity attribute to <script> and <link rel="stylesheet"> tags introduced by HTML allows the browser to verify the integrity of the introduced resource, thus preventing tampering with the downloaded resource.
SRI
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
For <script> tags, the result is to refuse to execute the code; for CSS links, the result is not to load the styles.
For more on subresource integrity, see Subresource Integrity - MDN.
Example
When using SRI, you need to enable html.crossorigin, which ensures that resources can be properly validated with SRI during cross-origin loading.
The <script> and <link rel="stylesheet"> tags generated by Rsbuild will include the integrity and crossorigin attributes:
Limitations
The security.sri in Rsbuild will only apply to the tags generated by Rsbuild and will not apply to:
- The original tags in the HTML template.
- The tags injected asynchronously by Rspack.
- The tags inserted through client JavaScript code.
Options
enable
- Type:
'auto' | boolean - Default:
false
Whether to enable SRI. 'auto' means it's enabled in production mode and disabled in development mode.
Typically, you do not need to enable SRI in development mode.
algorithm
- Type:
'sha256' | 'sha384' | 'sha512' - Default:
'sha384'
Specifies the algorithm used to compute the integrity hash.
For example, set to sha512:
The generated value of integrity attribute will be prefixed with sha512-:
Reference: Cryptographic hash functions.