Low Security Header

Integrity-Policy

Learn how Integrity-Policy enforces Subresource Integrity so scripts without a valid hash are blocked.

SiteSecurityScore Team·6 min read·Updated Jul 12, 2026

Integrity-Policy is a header that enforces Subresource Integrity across a resource type. When enabled for scripts, the browser blocks any script that loads without a valid integrity hash, protecting you against a compromised CDN or a tampered dependency. It is supported in current Chrome, Edge, and Safari, with partial support in Firefox, making it a practical supply-chain control to adopt.

What is Integrity-Policy?#

Subresource Integrity (SRI) lets you attach a cryptographic hash to a script or stylesheet so the browser refuses to run it if the bytes do not match. SRI is normally opt-in per element. Integrity-Policy makes it mandatory: it tells the browser that every resource of a given destination, currently scripts and stylesheets, must carry integrity metadata, and it blocks any that do not. This closes the gap where a single un-hashed script could be swapped out by an attacker who controls a third-party origin.

  • Requires integrity metadata on all resources of a destination, currently scripts and stylesheets
  • Blocks un-hashed or tampered scripts, a supply-chain protection
  • Reporting is configured through the Reporting API endpoints token
  • Supported in Chrome 138 and later, Edge 138 and later, and Safari 26 and later, with partial Firefox support

Header syntax#

Integrity-Policy is a structured header with a small set of keys.

  • blocked-destinations names the resource types that must have integrity, currently (script) or (style)
  • sources names where the policy applies. The only value is (inline), which is also the default
  • endpoints names the Reporting-Endpoints groups that receive violation reports

Report-Only mode#

Enforcing integrity on every script can break a site that still loads un-hashed third-party code. Deploy Integrity-Policy-Report-Only first: the browser reports every script that lacks integrity metadata to your reporting endpoint without blocking it, so you can add hashes before you enforce.

Add hashes before enforcing

Any script without a valid integrity attribute is blocked once you enforce. Use report-only to find them all, add integrity hashes, then switch to the enforcing header.

Configuration
# Observe without blocking Reporting-Endpoints: default="https://example.com/reports" Integrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(default) # Enforce once every script has integrity metadata Integrity-Policy: blocked-destinations=(script), endpoints=(default)

Implementation Guide#

Set the header at your server or edge and make sure your build pipeline adds integrity attributes to every script tag.

Configuration
# Apache Header always set Integrity-Policy "blocked-destinations=(script), endpoints=(default)" # Nginx add_header Integrity-Policy "blocked-destinations=(script), endpoints=(default)" always; # Every script tag must carry a hash # <script src="/app.js" integrity="sha384-..."></script>

Best Practices#

Integrity-Policy is most useful once your scripts already ship with SRI hashes.

  • Add integrity attributes to your own and third-party scripts first
  • Deploy Integrity-Policy-Report-Only, review reports, then enforce
  • Combine with a strong Content-Security-Policy script-src for layered script control
  • Supported across current Chrome, Edge, and Safari, with Firefox partial, so it is safe to adopt broadly

Implementation Examples#

Report-only for scripts

Integrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(default)

Reports scripts without integrity metadata

Explanation: Finds every script that lacks an SRI hash and reports it to your endpoint, without blocking, so you can fix them first.

Enforce integrity on scripts

Integrity-Policy: blocked-destinations=(script), endpoints=(default)

Blocks scripts without a valid hash

Explanation: Once every script carries integrity metadata, this blocks any un-hashed or tampered script from loading.

Key Directives#

blocked-destinations

Resource types that must carry integrity metadata: (script) or (style)

blocked-destinations=(script)

sources

Where the policy applies. Only (inline) is defined, and it is the default

sources=(inline)

endpoints

Reporting-Endpoints groups that receive violation reports

endpoints=(default)

References#

Was this helpful?
Share

Test Your Integrity-Policy Configuration

Scan your site to check if Integrity-Policy is properly configured.