security.sri
- Type:
- Default:
undefined
Adds an integrity attribute to <script> and <link> tags injected into HTML so the browser can verify the resource's integrity and prevent tampering.
security.sriis implemented based on Rspack's SubresourceIntegrityPlugin
What is SRI
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) arrive without unexpected manipulation. It works by letting you provide a cryptographic hash that a fetched resource must match.
If the hash does not match, script tags are blocked from running and stylesheet links are not loaded.
For more on subresource integrity, see Subresource Integrity - MDN.
Example
When using SRI, enable html.crossorigin so resources can be properly validated during cross-origin loading.
If you do not set html.crossorigin, Rsbuild will automatically set it to anonymous.
After enabling security.sri, the <script> and <link> tags generated by Rsbuild will include the integrity and crossorigin attributes:
In addition, the manifest file generated by Rsbuild will also include an integrity field.
Note
The security.sri in Rsbuild will only apply to the tags generated by Rspack and Rsbuild and will not apply to:
- The original tags in the HTML template.
- The tags inserted through client JavaScript code.
Rsbuild will handle the following <link> tags:
<link rel="preload"><link rel="stylesheet"><link rel="modulepreload">
Options
enable
- Type:
'auto' | boolean - Default:
false
Whether to enable SRI. 'auto' means it is enabled in production mode and disabled in development mode.
Typically, you do not need to enable SRI in development mode.
algorithm
- Type:
'sha256' | 'sha384' | 'sha512' - Default:
'sha384'
Specifies the algorithm used to compute the integrity hash.
For example, set to sha512:
The generated value of integrity attribute will be prefixed with sha512-:
Reference: Cryptographic hash functions.