Subresource Integrity (SRI) is a security feature within browsers that allows us to verify that the resources they fetch are delivered without any unexpected manipulation or compromise. Such manipulation could potentially occur where the asset is served from (for example, your CDN is hacked) or during network transmission (for example, a middleman attack).

To verify your script, you must provide an integrity attribute that contains the name of a hashing algorithm (such as sha256, sha384, or sha512) and then the hash itself. Here's an example:

<script src="//cdn.example.com/foo.js" integrity="sha384-367drQif3oVsd8RI/DR8RsFbY1fJei9PN6tBnqnVMpUFw626Dlb86YfAPCk2O8ce"></script>

To generate that hash, you can use OpenSSL's CLI as follows:

cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A

In addition to using the integrity attribute on <script>, you can use it on <link> for the verification of CSS style sheets. To enforce SRI, you can use the helpful CSP header:

Content-Security-Policy: require-sri-for script; require-sri-for style;

Doing this will ensure that any scripts or style sheets that exist without an integrity hash will fail to load. Once fetched, if the provided integrity hash does not match the hash of the received file, then it will be ignored (as if it wasn't fetched). Using SRI together with CSP gives you a considerable defense against XSS.