Subresource Integrity

If you’ve been keeping up with recent browser developments you may have noticed that in the past few weeks both Chrome and Firefox have started to support subresource integrity, with companies like Github making an active push for other sites to make use of the functionality. This is a low-risk change that offers tremendous security gains for your users, so we just pushed out an update that makes it easier to start using subresource integrity on your website.

Subresource integrity is a new browser feature that allows websites to ensure the integrity of resources loaded from external sources, such as content delivery networks (CDNs). This is a common technique used by websites to speed up the loading of assets, including common Javascript libraries like jQuery.

As is the nature of loading arbitrary code, this has always opened up websites to the possibility of being attacked through their CDN: an insecure or malicious CDN holds the potential to insert malicious code onto any website to which it serves assets. Subresource integrity serves to mitigate this attack by ensuring that all loaded resources contain the exact content expected by the website. This is done through the use of a cryptographic digest, computed on all fetched resources, that is then compared against an expected digest. This provides the browser the capability of detecting resources that have been tampered with, allowing it the opportunity to abort the loading of the resources before any malicious code is executed.

Protecting a resource is done by adding the “integrity” attribute to an asset’s HTML tag:

<script src=""

It’s an elegant solution to a very serious risk, and it’s a solution we recommend implementing. It won’t secure all of your users, with Microsoft Edge still not supporting the feature, but it can serve as a valuable line of defense in the event of a breach of your CDN. Many of the popular web frameworks provide libraries that make it easy to enable subresource integrity on your assets, and further instructions on making use of the technology are available on the Mozilla Developer Network.

Going forward, all Tinfoil Security scans will flag external resources that are not protected by subresource integrity. Give it a try by signing up for our 30-day free trial.

Quinn Wilton

Quinn Wilton is the Grand Magistrate of Security at Tinfoil Security, and the company's resident programming language theorist. When she isn't coding in a functional language like Elixir, she's probably hacking on an interpreter for an esolang of her own, or playing around with dependent types in Idris. Security is always at the forefront of her thoughts, and she enjoys building tools which make it easy for other engineers to write secure code. Her love for security is matched only by her love for bad movies - and does she ever love bad movies.

Tags: browser security security New Feature

Introducing the Tinfoil Private Beta

Welcome to Tinfoil Security!

We simplify security, integrating it into your development lifecycle, and making it a simpler test before you push out new code, rather than a compliance checkbox or an afterthought. Our aim is to make security recurring, affordable, and as simple for your engineers to use as possible. We’re beginning by securing all of your organization’s websites.

Recently, we were proud to announce the launch of the private beta of our first product: the Tinfoil Security web application scanner. Our scanning technology is comparable to other web application scanning tools and, in many cases, better. We’ll crawl your site, a bit like Google does, but instead of looking for text and images, we’re looking for anywhere we might be able to input and inject data. We then go through a multitude of security checks, trying to find each potential beachhead an attacker could use to access your website. We specialize in recurring and efficient checks, looking at all potential access points on your website. We’ll scan your externally facing site as well as all of your internal dashboards and application data post-authentication.

You get a comprehensive security report of your sites’ safety, along with all of your vulnerability information. You’ll know exactly where we found each vulnerability,  what the vulnerability is and what it can do, how we attacked your site (so you can go in and replay the attack), and we’ll also guide you in fixing each vulnerability, tailoring our results specifically to your software stack. It’s a fully automated solution, keeping your costs low and your number of security checks high.

Tinfoil Security takes a proactive approach, letting you know where you are vulnerable before you've been hacked and before any data is exported from your site, so you can prevent it in the first place. And we do it all while keeping the amount of data thrown your way as manageable as possible.

We’re incredibly excited about where Tinfoil is headed, and hope you’re just as excited to help us get it there.

If you’re interested in finding out more about Tinfoil, or just more about new ideas and news in vulnerability research, keep watching this blog, which will be updated with our latest features and our thoughts on security and the industry.

There's way more to come, so be sure to sign up for our beta list at and we'll get you in the door.

Until next time!
Ainsley, Borski, & The Tinfoil Team

Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and pain points of security, and loves talking with Tinfoil's users. She also loves rowing, flying kites, and paragliding.

Tags: New Feature Private Beta