Why BootstrapCDN Believes in SRI and You Should Too
January 25, 2016 | Justin Dorfman
As the CDN that accelerates Bootstrap and other popular open source projects, we would like to announce Subresource Integrity (SRI) hash support on BootstrapCDN. SRI support on BootstrapCDN officially debuted on August 15, 2015 and has been welcomed by the Bootstrap community.
SRI, an emerging web standard that protects website assets from unexpected modifications, is now easier than ever for Bootstrap users to implement. To serve Bootstrap files quickly and securely from our CDN, simply copy and paste the code located on the BootstrapCDN homepage.
Why Subresource Integrity Is Important
BootstrapCDN learned this lesson the hard way in 2013. Due to an unfortunate chain of events, a malicious user was able to replace the open source files we were serving. As a result, websites using BootstrapCDN delivered Java exploits to their visitors until we were able to fix everything.
To protect websites from attacks originating from compromised CDNs, the World Wide Web Consortium (W3C) standardized Subresource Integrity in 2015. The goal was to provide an additional layer of security to websites with third-party hosted assets. Now this new standard lets users of BootstrapCDN and other public CDNs protect their visitors from malicious code if, in the unlikely event, the CDN is compromised.
How Subresource Integrity Works
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha256-KXn5puMvxCw+dAYznun+drMdG1IFl3agK0p/pqT9KAo= sha512-2e8qq0ETcfWRI4HJBzQiA3UoyFk6tbNyG+qSaIBZLyW9Xf3sWZHN/lxe9fTh1U45DpPf07yj94KsUHHWe4Yk1A=="crossorigin="anonymous"></script>
The following screenshot demonstrates what happens under the hood with Mozilla Firefox when the SRI hash does not check out:
This screenshot shows that the browser has refused to execute the Bootstrap framework because the hash was invalid.
Browser Support for SRI
At the time of this writing, modern browsers like Mozilla Firefox, Google Chrome, and Opera all support SRI on desktop operating systems. Mobile versions of Firefox and Chrome have also integrated the standard.
Although Internet Explorer does not feature SRI, the Edge developer team is considering to add the support. (Feel free to vote for the feature request on the Windows developer feedback site, or give the Edge team a shout on Twitter to give it a little push.)
For the latest news and full details on browser support, please refer to caniuse.com.
How to Implement SRI
For BootstrapCDN files, implementation is super easy. And for all other third party files, it’s not much harder. It just requires generating a hash and constructing a script tag.
For BootstrapCDN Files
At BootstrapCDN we already included the SRI hash for you. Just hop on our main page, and copy-paste the HTML tag of your favorite asset into the HTML source of your website. After doing this you’re all set and your BootstrapCDN-hosted website assets are protected.
For Other Files
Fire up your terminal and launch the following commands:
$ curl -s https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js | openssl dgst -sha512 -binary | openssl base64 –A 2e8qq0ETcfWRI4HJBzQiA3UoyFk6tbNyG+qSaIBZLyW9Xf3sWZHN/lxe9fTh1U45DpPf07yj94KsUHHWe4Yk1A==
Then construct your own <script> tag with the output of the commands:
<script src=” https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js” integrity=”sha512-2e8qq0ETcfWRI4HJBzQiA3UoyFk6tbNyG+qSaIBZLyW9Xf3sWZHN/lxe9fTh1U45DpPf07yj94KsUHHWe4Yk1A==” crossorigin=”anonymous”>
If you have no access to a terminal, try out the SRI hash generators online at srihash.org and report-uri.io. And if you’re a website developer, you can implement SRI hashing into your automated workflow with Grunt, Gulp, Broccoli, Webpack and Handlebars plugins. WordPress users may prefer the plugin that adds the hash automatically to third-party assets.
Subresource Integrity FAQs
Can I use HTTP compression with SRI?
Yes. You can also use gzip/deflate compression along with any other transport compression. Integrity checking happens whenever you need the content, so redirections and delays do not impact the check.
Can the CDN change the hash value of the original file?
Will it work if my website is HTTP only?
HTTP works with SRI, but HTTPS is strongly advised.
Can it work with images and other file types?
What is the performance impact of SRI?
There does not seem to be any concrete stats on performance yet. But SHA-512 looks to be getting into the single figures of milliseconds.
- Mozilla Developers on Subresource Integrity
- A CDN that cannot XSS you – Using Subresource Integrity
- GitHub implements SRI
- What if China went all GitHub on your website?