Rails And Subresource Integrity

・3 min read
Rails And Subresource Integrity


You might have had an opportunity to verify if a file you downloaded is valid and authentic compared to the original one the process is called file verification. It is based on the fact that we can take the file content, process it with an algorithm, and generate a unique checksum based on the algorithm. We can then take such achecksum and verify it against our file. When we generate a different checksum, it means the downloaded file is invalid. It might have been corrupted while being transmitted over the internet or by third parties corrupting the original file. A common usage for checksum is, for instance, in the OpenSource world. Software creators usually want to make sure that people get the original file without any modifications to its content. On the other hand, it is often used for films that you can download from the web. All in all, checksums work fairly well – we do not have to compare files bit by bit in order to ensure a file matches the original one.


File checksums verification can be used to ensure that original files arrive without any modifications to their content. In 2015, a similar idea was introduced into web applications. Since we usually load a lot of JS code into web pages, there is a possibility that some files will be modified by attackers, who may attempt to execute their own code. Such a case is sometimes very dangerous for web app users, for instance, those using apps for banking and money transfers. There has been an incident in which one person lost about 40.000 pln due to an ill-intentioned page modification. By ensuring that loaded scripts match original files one can help prevent such incidents.


The W3C organization considered the file checksums and decided to add the concept to their web specifications as Subresource Integrity. The latter works in the same way as verifying checksums and the process has the following steps:

  • the author adds an integrity attribute to the script or link tag with the value of SHA384 or SHA512 for the file
  • the browser verifies the checksum for the file
  • the browser runs the file only when it matches the checksum

That is a pretty simple idea and it works well.


In the Rails world the procedure is much more simple that the steps in the list presented above. The only element we need to think about is to add the integrity: true argument into the javascript_include_tagmethod. For instance:

javascript_include_tag :application, integrity: true# => "<script src="https://betaselleo-wpengine.netdna-ssl.com/assets/application.js" integrity="sha256-zvaSLpJVYt5L57/LrUWzxoJHVYv3YdLmQACdIgTTGWc="></script>"

Subresource Integrity is enabled from version 3.x in Rails Sprockets.

It is thus a great idea to use the 3.x version or at least upgrade the gem to this version. It will ensure that the files loaded in your app match exactly the files sent by the server or CDN. Thanks to Wojtek for feedback!

Rate this article:


based on 0 votes
Our services
See what we can create for You
Our services

Awards & Certificates

reviewed on
30 reviews
  • Top 1000 Companies Global 2021
  • Top Development Company Poland 2021
HR dream team
  • 2020 HR Dream Team Award
  • 2016 Employer Branding Featured
  • 2015 HR Dream Team Award
ISO CertificateISO Certificate
  • Information Security Management System compliant with PN-EN ISO/IEC 27001
  • Business Continuity Management compliant with ISO 22301

© 2023 Selleo. Privacy Policy & Cookies