🛡️ Integrity-Policy active — scripts without SRI are blocked and reported
← All demos · Integrity Policy

Integrity Policy

See how Integrity-Policy blocks scripts loaded without Subresource Integrity and reports the violation to Report URI — enforcing SRI across your entire page.

⚪ Unprotected 🟢 Protected
Integrity-Policy active — the script is blocked and a report sent to Report URI

Script blocked — missing SRI integrity attribute

The same script loads without an integrity attribute — Integrity-Policy blocks it and reports the violation

✅ SRI enforcement active. The Integrity-Policy header requires all scripts to carry an integrity attribute. Because this script has none, the browser blocks it from loading and sends a report to Report URI identifying the URL and destination.
Third-party script status

https://evil-cyber-hacker.com/demo/library.js

Waiting for script…
Integrity-Policy header sent with this page
Integrity-Policy: blocked-destinations=(script), endpoints=(default)
What Integrity-Policy does

Integrity-Policy makes SRI mandatory for the destinations you specify. Any script loaded without an integrity attribute is blocked before it executes and a report is sent to your Reporting-Endpoints endpoint. This turns SRI from an opt-in attribute into an enforced policy — a missing integrity attribute becomes a visible, reportable event rather than a silent gap in your defences.

Example Integrity-Policy report (sent by the browser)
{
  "integrity-violation": {
    "blockedURL": "https://evil-cyber-hacker.com/demo/library.js",
    "destination": "script",
    "documentURL": "https://report-uri-demo.com/integrity-policy/?protected",
    "reportOnly": false
  }
}