In this post we will discuss why developers should implement integrity checking of scripts and other related resources. 

To start, what is integrity checking? Integrity checking involves using a hashing algorithm to create a cryptographic hash of the content of a file. 

If this same file gets altered in any way, the hash will be different.

For example, this is the jQuery’s CDN link which includes the integrity attribute using the SHA256 hashing algorithm:

SHA256 hashing algorithm

SHA256 hashing algorithm

The displayed hash is the hash calculation at the time of release. So, in the event of this file getting changed and the hash not getting updated, this will not get loaded. Not having integrity checking will allow for file changes to happen and these will happily get loaded. 

Ultimately, the question here will most likely be how this could ever cause an issue. An example of an issue would be the use of a service provider to store assets. Here are some of the risks:

  • Unauthorised change occurring due to an unforeseen reason,
  • An insider tampering with the resources
  • A hacker with malicious intent. 


To expand on this example would be the use of a “Subdomain Takeover”. This occurs when there has been a misconfiguration when using an external service provider to host a site or assets.

To demonstrate this, we have the following: -> (Main Site) -> (Serving test.js to main site) 

The below screenshot shows the setup:

Hosted on, is test.js. When visiting, test.js gets loaded from and an alert is executed. This being the correct test.js:

correct test.js

Now, if the host which serves test.js is removed without any other further configuration change, what could happen? This may be a problem (see the before and after screenshots below). To continue this, will be removed from the main account. However, the DNS CNAME record will be left pointing to as previously shown in the above nslookup screenshot.

Attempting to load the main site again will now show an error 404 (Not Found) for test.js:

We go over to a different account, and re-create again (as it doesn’t exist anymore) and push a modified test.js to it:

When the main site is now accessed, it will still show an error 404:

There needs to be a custom domain setup to make this work. So, we’ll just create it with this different account that was re-created with:


Except for some minor modifications which were required, when we now access the main site again this should load the test.js. However, with the slight change that was made to test.js this will now show a different alert message:

alert message

Now it has been shown how a script (test.js in this case) could be modified in this scenario and get executed due to not utilising integrity checking. We will go through how to setup integrity checking. For further information on this you can go to

Use the following command to generate a base64 encoding of a SHA256 hash. Please note, this is slightly different to the mentioned command in the URL above:

openssl dgst -sha256 -binary FILENAME.js | openssl base64 -A

Just like the jQuery script snippet, the script tag within the main site has been adjusted to include a SHA256 integrity hash of the original test.js:

When reloading this again the script doesn’t execute and shows a console message that the integrity hash doesn’t match the test.js content which is being received:

As you can see, integrity checking is great for making sure any externally hosted assets are the ones that are intended and not malicious.


Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch