security.sri

Type:

type SRIOptions =
  | {
      hashFuncNames?: string[];
      enabled?: 'auto' | boolean;
      hashLoading?: 'eager' | 'lazy';
    }
  | boolean;

Default: undefined
Bundler: only support webpack

Adding an integrity attribute (integrity) to sub-resources introduced by HTML allows the browser to verify the integrity of the introduced resource, thus preventing tampering with the downloaded resource.

Enabling this option will set the webpack output.crossOriginLoading configuration option to anonymous.

Introduce SRI

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

For script tags, the result is to refuse to execute the code; for CSS links, the result is not to load the styles.

For more on subresource integrity, see Subresource Integrity - MDN.

Example

By default, SRI is not turned on, and when it is, its default configuration is as follows:

{
  hashFuncNames: ['sha384'];
  enabled: "auto",
  hashLoading: "eager",
}

You can customize the configuration options according to your own needs:

export default {
  security: {
    sri: {
      hashFuncNames: ['sha-256'],
      enabled: true,
      hashLoading: 'lazy',
    },
  },
};

ON THIS PAGE

security.sri#

Introduce SRI#

Example#

security.sri

Introduce SRI

Example