Skip to main content

Overview

Subresource Integrity (SRI) enables browsers to verify that resources they fetch are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that the fetched resource must match. SRI matters because it offers protection against malicious tampering. If an attacker exploited a content delivery network (CDN) and modified the contents of JavaScript libraries hosted on that CDN, it would create vulnerabilities in all websites that use those libraries. SRI helps prevent attacks like cross-site scripting (XSS) by ensuring that the resources delivered to your site are exactly what they should be.

How SRI Prevents MITM Attacks

SRI provides cryptographic protection against man-in-the-middle attacks:
  1. Hash verification - The browser computes a SHA384 hash of the downloaded script
  2. Integrity check - If the hash doesn’t match the integrity attribute, the browser refuses to execute the script
  3. Tamper detection - Any modification in transit (MITM) or at rest (CDN compromise) is detected
If someone intercepts the script during transit and modifies it, the hash will not match and the browser will block execution entirely. This is the same protection mechanism used by major CDNs like cdnjs and unpkg.

How to Enable SRI

Formo supports SRI integration, providing an additional layer of security for your data and users. Enable SRI on the browser install snippet by updating the src and integrity fields: 
<script
  src="https://cdn.formo.so/analytics@1.27.0"
  integrity="sha384-Of/xaFqbXZEsMr8slF/A5m/gGtH17zowAzrQ1AGCKglE6hqmTSKmHr50f8NHTHvU"
  crossorigin="anonymous"
  defer
  onload="window.formofy('<YOUR_WRITE_KEY>');"
></script>
Get the latest version number and integrity hash on Github.
The hash in the integrity attribute within the Formo install script works with SRI to lock an external JavaScript resource to its known contents at a specific point in time. This is verified by a base64-encoded cryptographic hash. If the file is modified after this point, the hash won’t match, and supporting web browsers will refuse to load it. This ensures that the script you’re running is exactly the one provided by Formo, without any hidden changes or malicious code.

Verifying the Integrity Hash

You can independently verify the SRI hash using the following methods: Using OpenSSL (macOS/Linux): 
curl -s https://cdn.formo.so/analytics@1.27.0 | openssl dgst -sha384 -binary | openssl base64 -A
Using Node.js: 
const crypto = require('crypto');
const https = require('https');

https.get('https://cdn.formo.so/analytics@1.27.0', (res) => {
  const hash = crypto.createHash('sha384');
  res.on('data', (chunk) => hash.update(chunk));
  res.on('end', () => console.log('sha384-' + hash.digest('base64')));
});
The output should match the integrity hash published in our GitHub releases.

Combined Protection with CSP

For maximum security, combine SRI with Content Security Policy. When both are enabled:
  • CSP restricts where scripts can load from and where data can be sent
  • SRI ensures the loaded script hasn’t been tampered with
  • TLS 1.2+ encrypts all traffic in transit
This defense-in-depth approach makes it effectively impossible for an attacker to compromise the Formo SDK through MITM attacks.