We’re getting downgraded on our security by SecurityScorecard because we don’t have Subresource Integrity and our clients are asking us to look into it. How can I add this to our web site?
Check enterprise features. It delivers more.
We have relatively simple web site needs and the starter plan has been quite sufficient… except for the subresource integrity omission. Since pricing isn’t posted for Enterprise plans, I suspect it is a significant financial investment. Are you telling that subresource integrity cannot be provided on our plan?
If you mean SRI for your custom scripts, you’d add that yourself, calculate the hash and add the integrity attribute.
Some scripts, like GA and jquery already include it.
If you mean for webflow.js files- I’ve never seen that added even on enterprise plans. Might not be a feature- I recommend you contact support and check, which will also let them know it’s a desired feature for some users.
Note I’ve seen integrity attributes trip up VPN users; the security modules can get confused and block those scripts, so test carefully.
1 Like
Yes, I’m talking about just a basic web, no custom scripts. I guess support it is but I’m not very optimistic.
Me either- I’m unsure what attack vector this is meant to protect against. I suppose local network-layer and man in the middle attacks between a consumer and webflow’s CDN.
One option could be to build a reverse proxy on Cloudflare that retrieves the JS directly from Cloudflare ( difficult to do to a MITM attack between CF and WF, I imagine ). Generate the hash, update the pages with integrity hashes, and KV-store the hashes themselves for performance.
Since Webflow now does page-specific JS you’d need to ensure that the hashes are purged and regenerated on site publish, but that’s relatively easy with a webhook.
Feels like a bit of overkill but if you need it, it’s not a terribly complex build.
1 Like