Integrity-Policy
Learn how Integrity-Policy enforces Subresource Integrity so scripts without a valid hash are blocked.
Integrity-Policy is a header that enforces Subresource Integrity across a resource type. When enabled for scripts, the browser blocks any script that loads without a valid integrity hash, protecting you against a compromised CDN or a tampered dependency. It is supported in current Chrome, Edge, and Safari, with partial support in Firefox, making it a practical supply-chain control to adopt.
What is Integrity-Policy?#
Subresource Integrity (SRI) lets you attach a cryptographic hash to a script or stylesheet so the browser refuses to run it if the bytes do not match. SRI is normally opt-in per element. Integrity-Policy makes it mandatory: it tells the browser that every resource of a given destination, currently scripts and stylesheets, must carry integrity metadata, and it blocks any that do not. This closes the gap where a single un-hashed script could be swapped out by an attacker who controls a third-party origin.
- Requires integrity metadata on all resources of a destination, currently scripts and stylesheets
- Blocks un-hashed or tampered scripts, a supply-chain protection
- Reporting is configured through the Reporting API endpoints token
- Supported in Chrome 138 and later, Edge 138 and later, and Safari 26 and later, with partial Firefox support
Header syntax#
Integrity-Policy is a structured header with a small set of keys.
- blocked-destinations names the resource types that must have integrity, currently (script) or (style)
- sources names where the policy applies. The only value is (inline), which is also the default
- endpoints names the Reporting-Endpoints groups that receive violation reports
Report-Only mode#
Enforcing integrity on every script can break a site that still loads un-hashed third-party code. Deploy Integrity-Policy-Report-Only first: the browser reports every script that lacks integrity metadata to your reporting endpoint without blocking it, so you can add hashes before you enforce.
Any script without a valid integrity attribute is blocked once you enforce. Use report-only to find them all, add integrity hashes, then switch to the enforcing header.
# Observe without blocking
Reporting-Endpoints: default="https://example.com/reports"
Integrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(default)
# Enforce once every script has integrity metadata
Integrity-Policy: blocked-destinations=(script), endpoints=(default)Implementation Guide#
Set the header at your server or edge and make sure your build pipeline adds integrity attributes to every script tag.
# Apache
Header always set Integrity-Policy "blocked-destinations=(script), endpoints=(default)"
# Nginx
add_header Integrity-Policy "blocked-destinations=(script), endpoints=(default)" always;
# Every script tag must carry a hash
# <script src="/app.js" integrity="sha384-..."></script>Best Practices#
Integrity-Policy is most useful once your scripts already ship with SRI hashes.
- Add integrity attributes to your own and third-party scripts first
- Deploy Integrity-Policy-Report-Only, review reports, then enforce
- Combine with a strong Content-Security-Policy script-src for layered script control
- Supported across current Chrome, Edge, and Safari, with Firefox partial, so it is safe to adopt broadly
Implementation Examples#
Report-only for scripts
Integrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(default)Reports scripts without integrity metadata
Explanation: Finds every script that lacks an SRI hash and reports it to your endpoint, without blocking, so you can fix them first.
Enforce integrity on scripts
Integrity-Policy: blocked-destinations=(script), endpoints=(default)Blocks scripts without a valid hash
Explanation: Once every script carries integrity metadata, this blocks any un-hashed or tampered script from loading.
Key Directives#
blocked-destinations
Resource types that must carry integrity metadata: (script) or (style)
blocked-destinations=(script)sources
Where the policy applies. Only (inline) is defined, and it is the default
sources=(inline)endpoints
Reporting-Endpoints groups that receive violation reports
endpoints=(default)References#
Test Your Integrity-Policy Configuration
Scan your site to check if Integrity-Policy is properly configured.