WordPress Subresource Integrity (SRI) Manager

Adds Subresource Integrity (SRI) attributes to your page’s elements for better protection against JavaScript DDoS attacks.

A WordPress plugin for easily adding a Subresource Integrity (SRI) declaration to any third-party content your pages load. The standards-based `integrity` attribute is a defense-in-depth best practice currently making its way into browsers. This plugin closely tracks the W3C draft.

Currently, the plugin automatically detects any third-party resources (like JavaScript libraries) and will make a SHA-256 hash of the content. It remembers this hash (until you uninstall the plugin), and modifies your page’s <script> and <link> elements on-the-fly. This way, your visitor’s Web browsers can automatically ensure that the specific library you’re using is the one they’re loading.

Using this plugin can dramatically reduce the liklihood that visitors to your site will be strong-armed into participating in an HTTP DDoS attack. For more information, see “An introduction to JavaScript-based DDoS” by Nick Sullivan.

Future versions of this plugin will also provide an easy-to-use interface for site administrators to maintain a customized list of resource hashes, and to trigger on-demand integrity checks of these resources.

This plugin is still somewhat skeletal. Feature requests and patches are welcome! Please provide a test case with your patch. See the `tests` subdirectory for unit tests.