SRI
Use SRI to load securely assets loaded from a external CDN.
Options See on deno.land
- algorithm sha256 sha384 sha512
The algorithm used to calculate the cryptographic hash of the file
Default:"sha384"- crossorigin anonymous use-credentials
The CORS setting for the file being loaded
Default:"anonymous"- selector string
The selector to find the elements to add the integrity attribute
Default:"script[src], link[rel=stylesheet][href]"
Description
SRI (Subresource Integrity) is a browser feature to protect your site and your users from compromised code loaded from external CDN. It verifies the code loaded by the browser is exactly the same code that you got during the build process, without unexpected manipulations. You can learn more about SRI in the MDN article.
The plugin searches for <script> and <link rel="stylesheet"> elements in your pages that load resources from other domains and add the integrity and crossorigin attributes automatically. For example, if you have this code:
<script src="https://code.jquery.com/jquery-3.7.0.slim.min.js"></script>
The plugin outputs the following:
<script
src="https://code.jquery.com/jquery-3.7.0.slim.min.js"
integrity="sha256-tG5mcZUtJsZvyKAxYLVXrmjKBVLd6VpVccqz/r4ypFE="
crossorigin="anonymous"
></script>
Installation
Import this plugin in your _config.ts file to use it:
import lume from "lume/mod.ts";
import sri from "lume/plugins/sri.ts";
const site = lume();
site.use(sri(/* Options */));
export default site;
Note
Note that SRI only works with URLs that always return the same code, so you must use URLs that are guaranteed never to change. Learn how to use SRI with jsDelivr.