I have a few <script src=""> tags in my script. For all the js files that are in the internal file system, I'm using the mand like-
cat jquery.js | openssl dgst -sha384 -binary | openssl base64 -A
to generate a base64-encoded sha384 hash and include that in the script tag like-
<script src="/js/jquery.js" integrity="J3vFgsKDNFSLyAxQe5jAHGNrVWc5wlIQG+hTxg57KX5ESMgxRMK1AbVWMP7kXogS"></script>
But my script also has a few js that are external like-
<script src=".js"></script>
How can I generate the hash for the external js so that I can include the intergrity attribute for those as well?
I have a few <script src=""> tags in my script. For all the js files that are in the internal file system, I'm using the mand like-
cat jquery.js | openssl dgst -sha384 -binary | openssl base64 -A
to generate a base64-encoded sha384 hash and include that in the script tag like-
<script src="/js/jquery.js" integrity="J3vFgsKDNFSLyAxQe5jAHGNrVWc5wlIQG+hTxg57KX5ESMgxRMK1AbVWMP7kXogS"></script>
But my script also has a few js that are external like-
<script src="https://code.jquery./jquery-latest.js"></script>
How can I generate the hash for the external js so that I can include the intergrity attribute for those as well?
Share Improve this question asked Mar 6, 2019 at 17:56 manishkmanishk 5368 silver badges28 bronze badges2 Answers
Reset to default 4You can generate the SRI Hash for external js resources on this link SRI HASH
I ran a diagnosis after this, and works perfectly
You could always download the file to disk and then run your mand. Or alternatively you can swap out the first part of your mand - instead of cat jquery.js, you can have curl -s <URL>
Putting it together:
curl -s https://code.jquery./jquery-latest.js | openssl dgst -sha384 -binary | openssl base64 -A
Keep in mind that if (when) the script is updated by the third-party, integrity check will fail. With the jQuery example, you should expect that a "jquery-latest.js" file will change when an update is released (hence breaking the integrity check and causing the script to fail to load). In other words, your web site is likely to break when an update is released.
You may want to consider linking to a specific version instead (e.g. "https://code.jquery./jquery-3.4.1.min.js"). This means you (or another web developer on the team) will be responsible for keeping jQuery (and the script tag's hash) up to date - especially when a security fix is released.
Also it's worth noting that if the file is hosted on the same domain (i.e. on your web server), you don't have to include the hash for PCI pliance. The hash is only required for externally hosted javascript files.