In Web3, every external script your dApp loads is a potential attack vector. A single compromised file can leak sensitive wallet data, break critical functionality, or trigger phishing attacks. That’s why Formo implements Subresource Integrity (SRI) in its tracking snippet.
SRI ensures that scripts run exactly as intended—untampered, verifiable, and cryptographically secure. SRI is a core security feature that protects your users by ensuring external resources (like JavaScript or CSS files) haven’t been modified. This is especially important for Web3 apps, where scripts often interact with wallets and onchain data.
In this guide, we’ll show you how SRI works and how Formo uses SRI to protect your users.
Formo uses SRI to safeguard your data and protect user security
In this article, you’ll learn:
What Subresource Integrity (SRI) is
Why SRI matters for Web3 teams
How to enable SRI with Formo
How to generate an SRI hash
How Formo keeps your data and users secure
What Is Subresource Integrity (SRI)?
SRI is a security feature that allows browsers to verify that a fetched file (like a JavaScript or Cascading Style Sheets ) hasn’t been unexpectedly modified. SRI helps prevent attacks like cross-site scripting (XSS) by ensuring that the resources delivered to your site are exactly what they should be.
SRI lets browsers verify that fetched files haven’t been tampered with
When you include an integrity attribute in your <script> or <link> tag, the browser checks the file’s cryptographic hash. Subresource Integrity works by comparing the file’s cryptographic hash to an expected value. If the file doesn’t match, it won’t load. This ensures that even if a CDN or MITM attacker tries to swap the file, your users are protected.
See Subresource Integrity to learn more about SRI.
Benefits of SRI:
Integrity check: Ensures files are exactly what you expect.
Tamper detection: Blocks scripts modified after publication.
Defense in depth: Complements HTTPS, CSP, and other security headers.
Trust: Reassures users and auditors that third-party scripts are verified.
Prevents supply chain attacks: One of the most common vectors in modern web vulnerabilities.
How SRI Works (With Code Example)
To use SRI, include the integrity attribute (with a hash) and crossorigin="anonymous" in your script tag:
<script
src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"
></script>
If someone changes the file, the hash won’t match, and the browser will refuse to load it.
Why SRI Matters for Web3 Product Analytics
Web3 teams track wallet activity and onchain behaviors in-app. That means trust, accuracy, and data safety are critical.
A single compromised script could:
Steal sensitive web3 user data
Corrupt user flows
Deface your UI
Trigger DoS or phishing attempts
Formo's Web3 product analytics run directly in your users’ browsers. That’s why we built Subresource Integrity into our install script. SRI protects your analytics integration from being a weak link, so every Formo user can trust that what’s loaded is exactly what was published.
Real-World Risk: CDN Tampering
Imagine your dApp uses a popular UI library hosted on cdn.library.org. A hacker manages to inject a keylogger or redirect script into that CDN file.
Every project that loads this file now:
Sends wallet addresses and metadata to an attacker
Alter UI elements or links
Records seed phrases or session tokens
SRI helps you stop this cold. If the file is changed, the hash won't match, and your browser will block it before execution.
How to Generate an SRI Hash
You can manually generate a hash using your terminal:
bash
CopyEdit
curl -s https://example.com/script.js | \
openssl dgst -sha384 -binary | \
openssl base64 -A
Use sha256, sha384, or sha512 as the hash algorithm. Example:
html
CopyEdit
<script
src="https://code.jquery.com/jquery-2.1.4.min.js"
integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC"
crossorigin="anonymous"
></script>
Make sure to load all resources over HTTPS and that the CDN supports CORS by setting Access-Control-Allow-Origin.
How Formo Keeps Your Site Secure
Every external script you load is a potential risk. At Formo, we’ve automatically implemented key protections so our analytics snippet stays tamper-proof, transparent, and secure.
Integrity Attribute
The Integrity attribute ensures the script running in your browser is exactly what we shipped—no tampering, no surprises.
When you install the Formo snippet, it includes a unique cryptographic hash. Your browser compares the file it receives against this hash:
If it matches, the script runs.
If not, it’s blocked because it’s not safe.
Cross-Origin Attribute
Formo uses the crossorigin attribute to restrict how scripts interact across domains. Cross-Origin Attribute limits the script’s ability to access or affect other sites—an important layer of defense against common web threats like cross-site scripting (XSS). Cross-Origin Attribute keeps data boundaries tight and reduces exposure to unauthorized access or leakage.
Content Security Policy (CSP)
CSP is your browser’s built-in firewall for external content. It lets you define exactly which domains your site can load resources from. In your site’s <head>, set a rule to allow scripts only from our secure CDN. CSP blocks any unknown or untrusted scripts from sneaking in, giving you more control over what runs on your site.
How to Enable SRI in Formo
Formo supports SRI integration, providing an additional layer of security for your data and users. Enable SRI on the browser install snippet by updating the src and integrity fields, so all you need to do is copy and paste:
<script
src="https://cdn.formo.so/analytics@1.17.8"
integrity="sha384-YT9NpJXXJ7yEQhqLi5hukWO/MvuUX9TM3rNeQUS2lXXd0SdS2xJiA7n8T6IDAU4A"
crossorigin="anonymous"
defer
onload="window.formofy('<YOUR_WRITE_KEY>');"
></script>
Get the latest version number and integrity hash on GitHub.
The hash in the integrity attribute within the Formo install script works with SRI to lock an external JavaScript resource to its known contents at a specific point in time. This is verified by a base64-encoded cryptographic hash.
If the file is modified after this point, the hash won’t match, and supporting web browsers will refuse to load it. This ensures that the script you’re running is exactly the one provided by Formo, without any hidden changes or malicious code.
Why Use the Subresource Integrity (SRI)?
SRI secures third-party scripts and styles by verifying that they haven’t been tampered with. SRI protects your site from man-in-the-middle attacks and malicious code injection.
With Formo’s SRI support, you can trust that:
Your web app only runs trusted scripts.
Third-party scripts haven’t been silently modified.
You’re protected from supply chain and MITM attacks.
In Web3, even a single compromised script can lead to attacks or disrupt your dApp. Subresource Integrity (SRI) ensures that only verified, untampered code runs in your users’ browsers. That’s why Formo supports Subresource Integrity (SRI) and self-hosting, giving you full control over how your analytics are delivered. No hidden dependencies. No silent updates. Just clean, transparent execution that aligns with the ethos of decentralization. Formo helps Web3 teams easily implement SRI, making data integrity and script security a built-in safeguard.
Further sources:
Follow us on LinkedIn and Twitter, and join our community to learn how Web3 teams turn insights into action with Formo!
Additional FAQs
1. What happens if I don’t use the crossorigin attribute with SRI?
Without crossorigin="anonymous", Subresource Integrity (SRI) may not function properly for cross-origin requests. The browser could skip the integrity check or fail to load the resource entirely. Always use the correct crossorigin attribute when loading scripts from a CDN to ensure full SRI protection.
2. Do I need to update the hash when the SDK or script version changes?
Yes. Anytime the content of the external script changes—even a minor update like whitespace or formatting—you must generate a new SRI hash and update the integrity attribute. This ensures the browser continues to verify the exact contents of the file.
3. What happens if the SRI hash does not match the file content?
If the file’s cryptographic hash differs from what’s defined in the integrity attribute, the browser will block the script from loading and log a console error. Your application should handle this gracefully, potentially by using fallbacks or backup functionality.
4. Is Subresource Integrity (SRI) supported by all modern browsers?
Yes, all major modern browsers—including Chrome, Firefox, Safari, and Edge—support Subresource Integrity. This makes SRI a widely applicable and effective security practice for protecting your web application.
5. How does SRI protect against compromised third-party scripts?
SRI adds a layer of trust to third-party resources by verifying their cryptographic hash before execution. If a script has been modified (intentionally or accidentally), the browser will detect the mismatch and prevent the compromised code from running. This helps protect against CDN hijacking, man-in-the-middle (MITM) attacks, and supply chain threats.
6. What are the limitations or challenges of using SRI?
The main limitation is maintainability. If a third-party script updates frequently, you'll need to manually recalculate and update the SRI hash each time. This can be time-consuming for dynamic or versioned scripts and may break your app if overlooked.
