• Type:
type SRIOptions =
  | {
      hashFuncNames?: string[];
      enabled?: 'auto' | boolean;
      hashLoading?: 'eager' | 'lazy';
  | boolean;
  • Default: undefined
  • Bundler: only support webpack

Adding an integrity attribute (integrity) to sub-resources introduced by HTML allows the browser to verify the integrity of the introduced resource, thus preventing tampering with the downloaded resource.

Enabling this option will set the webpack output.crossOriginLoading configuration option to anonymous.

Introduce SRI

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

For script tags, the result is to refuse to execute the code; for CSS links, the result is not to load the styles.

For more on subresource integrity, see Subresource Integrity - MDN.


By default, SRI is not turned on, and when it is, its default configuration is as follows:

  hashFuncNames: ['sha384'];
  enabled: "auto",
  hashLoading: "eager",

You can customize the configuration options according to your own needs:

export default {
  security: {
    sri: {
      hashFuncNames: ['sha-256'],
      enabled: true,
      hashLoading: 'lazy',