Overview

Subresource Integrity (SRI) enables browsers to verify that resources they fetch are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that the fetched resource must match. SRI matters because it offers protection against malicious tampering. If an attacker exploited a content delivery network (CDN) and modified the contents of JavaScript libraries hosted on that CDN, it would create vulnerabilities in all websites that use those libraries. SRI helps prevent attacks like cross-site scripting (XSS) by ensuring that the resources delivered to your site are exactly what they should be.

How to Enable SRI

Formo supports SRI integration, providing an additional layer of security for your data and users. Enable SRI on the browser install snippet by updating the src and integrity fields: 
<script
  src="https://unpkg.com/@formo/analytics@1.19.2/dist/index.umd.min.js"
  integrity="sha384-PmA7CScDgxGe53CD6YHvQUohUxDy42+/veXDFIKAZLNbo7rg+m8LOqJ6t0D4xyF3"
  crossorigin="anonymous"
  defer
  onload="window.formofy('<YOUR_WRITE_KEY>');"
></script>
Get the latest version number and integrity hash on Github.
The hash in the integrity attribute within the Formo install script works with SRI to lock an external JavaScript resource to its known contents at a specific point in time. This is verified by a base64-encoded cryptographic hash. If the file is modified after this point, the hash won’t match, and supporting web browsers will refuse to load it. This ensures that the script you’re running is exactly the one provided by Formo, without any hidden changes or malicious code.