⚠️ No CSP Integrity — scripts load with no record of what code actually ran
← All demos · CSP Integrity

CSP Integrity

See how the CSP 'report-sha256' keyword sends the hash of every loaded script to Report URI — giving you cryptographic proof of exactly what code ran on your page.

🔴 Unprotected ⚪ Protected
No CSP Integrity — the script loads with no record of what code actually ran

Third-party script loading

This page loads a script from evil-cyber-hacker.com — without CSP Integrity you have no cryptographic record of what it contained

⚠️ No hash reporting. The script loads and runs freely. If the file were silently modified on the third-party server — or replaced by a supply chain attack — you would have no way of knowing. No report is sent to Report URI, so there is no record of what code executed.
Third-party script status

https://evil-cyber-hacker.com/demo/library.js

Waiting for script…
The supply chain problem

When you load a script from a third-party host you are trusting that server to serve the exact file you expect — every time, for every user. If that server is compromised, or the file is modified in transit, your users run attacker code. Without cryptographic verification you have no record of what actually executed on your page.

Example CSP hash report (sent by the browser)
{
  "csp-hash": {
    "destination": "script",
    "documentURL": "https://report-uri-demo.com/csp-integrity/?protected",
    "hash": "sha256-Ay4ULFZ80TqgOvkYTt3V5bc4EGYlt7QLVNSDSLcMMx8=",
    "subresourceURL": "https://evil-cyber-hacker.com/demo/library.js",
    "type": "subresource"
  }
}