This plugin sets statically configured Subresource Integrity (SRI) hashes on requests performed by configured wrapped transport plugins.
This allows plugins that know how to handle it (or that use underlying browser APIs that automatically handle SRI, like
fetch()) to verify integrity of retrieved content before returning it as a response.
IMPORTANT NOTE: this plugin, by itself, does not verify the integrity of fetched resources; it merely sets the integrity data on the requests. It’s up to the wrapped plugin to actually use that data to verify integrity (like the
integrity-check plugin) or rely on browser APIs like
fetch() to handle this automatically.
basic-integrity plugin supports the following configuration options:
Array containing exactly one object which is in turn a configuration of a wrapped plugin. This plugin will be used to actually handle any requests.
integrity (default: empty)
An object mapping absolute URLs (e.g. “
https://example.com/img/test.png”) to integrity hashes (e.g. “
sha384-kn5dhxz4RpBmx7xC7Dmq2N43PclV9U/niyh+4Km7oz5W0FaWdz3Op+3K0Qxz8y3z”). Supported integrity hash algorithms as per SRI specification:
The integrity string can contain multiple hashes, space-separated, as per the standard.
Boolean value specifying if integrity data is required for a request to handled. That is: if a request is being handled for a URL that does not have integrity data associated with it, should the request be processed, or errored out?
basic-integrity plays it safe and assumes you want integrity data to be present for all resources being fetched; if you only want certain resources to have integrity verified, set this to
Importantly, integrity data does not need to be explicitly configured in this plugin’s config — if integrity data is available in the request already, that also counts, even if no specific data is configured for this URL in this plugin’s config.