Edit in GitHubLog an issue

Subresource Integrity

Subresource Integrity (SRI) is a security feature that enables browsers to verify that the resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. This feature works by allowing you to provide a cryptographic hash that a fetched resource must match. See Subresource Integrity (SRI) to learn more about SRI.

Application Support

To comply with PCI 4.0 requirements for verification of script integrity on payment pages, Adobe Commerce and Magento Open Source 2.4.7 and later include support for Subresource Integrity by providing integrity hashes for all Javascript assets residing in the local filesystem. (This functionality is defined in the Magento_Csp module.)

Default Configuration

The default SRI feature is implemented only on the payment pages for the admin and storefront areas. However, merchants can extend the default configuration to other pages. For example, to enable SRI on the customer account page in the storefront, create the file <module-dir>/view/frontend/layout/customer_account_index.xml with the following content:

Copied to your clipboard
<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
<head>
<link src="Magento_Csp::js/sri.js"/>
</head>
<body>
<referenceBlock name="head.additional">
<block class="Magento\Csp\Block\Sri\Hashes" name="customer.account.index.sri.hashes" template="Magento_Csp::sri/hashes.phtml"/>
</referenceBlock>
</body>
</page>

Subresource Integrity Hash Generation

The Subresource Integrity hash generation process begins once static content for each package area has been deployed. The postprocessor class then systematically processes all javascript files within each package and generates integrity hashes. The postprocessor class triggers the SubresourceIntegrityCollector class to collect the hashes which are cached for storage after all packages are deployed. All integrity hashes are stored in cache via the SubresourceIntegrityRepository class.

Subresource Integrity Caching

Subresource Integrity hashes are stored and organized in cache by the deployed package area - frontend, base or admin. The hash value for a specific file can be retrieved from the cache using the getByPath function in the SubresourceIntegrityRepository class.

Caches can be purged in the following ways:

Copied to your clipboard
bin/magento cache:flush
  • Through the Admin UI via System > Tools > Cache Management. Flush Cache Storage
Copied to your clipboard
bin/magento setup:static-content:deploy

Subresource Integrity for Remote Resources

Although, there is no SRI support for custom remote Javascript resources currently, merchants can generate the integrity hash for remote resources using the following example.

Copied to your clipboard
$hash = base64_encode(hash('sha256', $content, true));
$integrity = "sha256" . "-{$hash}";
  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.