JavaScript integrity

Third parties offer you a code to implement. However, as a website owner you want it to be fast and secure at the same time as it's likely that next to pagespeed, you also care about the security of your site or shop.

When it comes to "fast", RUMvision supports LoAF to get insights into the performance impact of third parties. But that still leaves security. And that's where sub-resource integrity (or SRI) comes in.

With SRI, you will need to a hash when loading third (or 1st) party resources. If a the contents of that resource doesn't match that hash anymore, the browser won't execute it. It's like a two factor authentication for resources on the web as things at both ends need to be the same. If they are not, than something unexpected changed. In a worst case scenario, there's a security breach within the resource you try to load.

But when using SRI, your website is not at risk as the browser will just not execute that file all together. Do note that while security is maintained, some functional features might break when using this for both third parties and 1st party resources.

Sub-resource integrity

In more technical terms, subresource Integrity is a security feature that ensures the integrity and authenticity of resources loaded on webpages. In our case, this applies to the JavaScript file that our users need to install in order to collect UX information. Offering SRI is crucial for maintaining trust with both our users and your visitors, safeguarding the websites of our customers from potential security threats. By implementing SRI, we provide an additional layer of security assurance.

See MDN for more technical details.

How SRI works

SRI works by generating a unique cryptographic hash of the resource content. This hash acts like a digital fingerprint that verifies the integrity of the resource. When a browser encounters a script tag with an associated SRI attribute, it checks the fetched file against this hash. If the hash matches the expected value, the browser allows the resource to load and execute. However, if the hash doesn't match, indicating potential tampering or corruption, the browser blocks the resource from executing, safeguarding the user's website.

SRI at RUMvision

Enabling SRI

RUMvision users can set up SRI via their domain settings. A new SRI hash will then be generated automatically with every change. This will be reflected on your snippet page, where you'll find a snippet that is different from our default snippet. You'll be able to notice that it includes two additional attributes and a hash. Using this snippet and hash ensures the integrity of your personal tracking script.

The new attributes will look as following:

 js.integrity = hash;
js.crossOrigin = 'anonymous';

For simplicity, you can simply copy and paste the snippet that is provided by our application, including these attributes and latest hash.

Consequence of an SRI hash

Whenever you make changes, your domain's specific tracking script will change as well. To actually see your changes reflected in your monitoring data, you will need to update your hash.

We want to prevent a situation where data collection suddenly stops. To achieve this, your old hashed will continue to work and track data. It just won't contain your latest changes until you manually update your snippet. Updating the hash is your (organisation's) responsibility when choosing to use our SRI security feature.

Updating the hash

Whenever you installed an app, we will automatically notify you about changes that will result in a new hash. This allows you to swiftly update the hash in your script with the latest hash.

You can use Webhook to automate such process. When using Zapier, we have a step-by-step guide to achieve this.

Summarized, enabling subresource integrity will result in:

  • a dynamically and automatically created hash by RUMvision with every (URL rule, Custom timing and configuration setting) change you make;
  • a new hash being shared with you via a channel/app you subscribed to after someone made a change;
  • your snippet dashboard showing the latest hash and correct implementation.

In your snippet logs, you will also be able to view the hashes over time.