Subresource Integrity

To ensure the scripts and stylesheets you load aren’t maliciously altered, tack on an integrity attribute that returns a base64-encoded string of one or more SHA digests:

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.0.3/jquery.min.js"
        integrity="sha384-ECTndYny330R2jlSXBiZkdXzAVi0Z/iDXJTwV6cp39HECmalqg6+b2sFZFf/Y2m6 sha512-epzJ9ms+0Pq+zFMrG1lXVNvjEXgtfKx9iuEWqz3hmbaU2m/Dp1pcmpYzuSdDLqX6PMIjzMOyGFwMc+SkgFhMFg=="
        crossorigin="anonymous"></script>

With the integrity attribute, the browser will not load the script unless the base64-decoded digest matches the content of the script source. This also works on <style> tags. The crossorigin attribute is to enable CORS support.

To speed up the creation of SRI digests, I whipped up a small script that spits out SHA384 and SHA512 digests:

#!/usr/bin/env bash

echo -n "sha384-"
curl -s "$1" | openssl dgst -sha384 -binary | openssl base64 -A
echo

echo -n "sha512-"
curl -s "$1" | openssl dgst -sha512 -binary | openssl base64 -A
echo