Integrity Policy

What is Integrity Policy?

Integrity Policy allows you to monitor and even enforce the use of Subresource Integrity (SRI) for the JavaScript assets on your website.

Whether you just want to understand your current coverage or exposure, or require that all JavaScript assets use SRI, Integrity Policy has a configuration for you.

Enable Integrity Policy

Simply add the following HTTP Response Header to your website to start safely gathering data:

Integrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(default)

That's it, you're now ready to start gathering data!

Enable the Reporting API

Once you have enabled Integrity Policy above, you will need to tell the browser where to send the new data. For this, we will use the Reporting API. You can visit the docs page for the Reporting API for more details, but all that is required is the addition of a new response header:

Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"{URL}"}],"include_subdomains":true}

This defines a new reporting group called default, and you can find the URL value on the Setup page of your account. Once you have added this HTTP Response Header, data will start showing up in your account as problems are identified!

Viewing Integrity Policy events

You can check the Usage Metrics table on your account Home page to see when Integrity Policy telemetry has been received and processed, when it will show as 'Accepted' in the table. You can then head to the Integrity Policy page and view that data.

Integrity Policy

On the Reports page, you can view and search through all data using the column headings as with any of our other products. You will now be able to see Integrity Policy events for all JavaScript files that we received the telemetry for.

Quick Tips and FAQ

Integrity Policy will only trigger events if you are loading JavaScript on your site that was eligible to use SRI but didn't use SRI. If there are no issues with missing protection on your site then no events will be sent.

Q: Will Integrity Policy events be sent for JS files that are not eligible?
A: No, events will only be sent if the JavaScript file was loaded without SRI and was eligible to use SRI.

Q: Can I prevent JavaScript files being loaded without SRI protection?
A: Yes, if you remove Report-Only from the name of the header, the browser will block the JavaScript file from loading and send an event to us.

Q: Will this use a lot of events?
A: No, events are only sent if a JavaScript asset is loaded without SRI, otherwise no events are sent.

Useful Links

https://scotthelme.co.uk/integrity-policy-monitoring-and-enforcing-the-use-of-sri/

https://w3c.github.io/webappsec-subresource-integrity/#integrity-policy-section

https://scotthelme.co.uk/subresource-integrity/

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search