undefined
>= 0.7.3
Adding an integrity
attribute to <script>
and <link rel="stylesheet">
tags introduced by HTML allows the browser to verify the integrity of the introduced resource, thus preventing tampering with the downloaded resource.
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
For <script>
tags, the result is to refuse to execute the code; for CSS links, the result is not to load the styles.
For more on subresource integrity, see Subresource Integrity - MDN.
When using SRI, you need to enable html.crossorigin, which ensures that resources can be properly validated with SRI during cross-origin loading.
The <script>
and <link rel="stylesheet">
tags generated by Rsbuild will include the integrity
and crossorigin
attributes:
The security.sri
in Rsbuild will only apply to the tags generated by Rsbuild and will not apply to:
'auto' | boolean
false
Whether to enable SRI. 'auto'
means it's enabled during production builds and disabled during development builds.
Typically, you do not need to enable SRI during development.
'sha256' | 'sha384' | 'sha512'
'sha384'
Specifies the algorithm used to compute the integrity hash.
For example, set to sha512
:
The generated value of integrity attribute will be prefixed with sha512-
:
Reference: Cryptographic hash functions.