Subresource Integrity (SRI)

Propshaft supports Subresource Integrity (SRI), a security feature that allows browsers to verify that resources they fetch (like from a CDN) are delivered without unexpected manipulation. It works by checking a cryptographic hash of the fetched resource against a hash you provide in the HTML.

Enabling SRI

To enable SRI support, you need to configure the desired hash algorithm in your Rails application's configuration, typically in config/application.rb or an environment-specific file.

# config/application.rb
module MyApp
  class Application < Rails::Application
    # ...
    config.assets.integrity_hash_algorithm = "sha384"
  end
end

Valid hash algorithms include:

  • "sha256": The most common algorithm.
  • "sha384": Recommended for enhanced security.
  • "sha512": The strongest available algorithm.

Setting this configuration value tells Propshaft to generate integrity hashes for all assets during precompilation and store them in the .manifest.json file.

Using SRI in Views

Once SRI is configured, you can enable it on a per-asset basis by passing the integrity: true option to the standard asset view helpers.

<%= stylesheet_link_tag "application", integrity: true %>

<%= javascript_include_tag "application", integrity: true %>

This will generate HTML tags that include the integrity attribute:

<link rel="stylesheet" 
      href="/assets/application-abc123.css"
      integrity="sha384-xyz789...">

<script src="/assets/application-def456.js"
        integrity="sha384-uvw012..."></script>

Important Note: SRI is only active in secure contexts. Propshaft will automatically omit the integrity attribute if the page is served over HTTP in production. This is because serving over an insecure connection already exposes the application to man-in-the-middle attacks, rendering SRI ineffective.

Bulk Stylesheet Inclusion with SRI

Propshaft extends the stylesheet_link_tag helper with special symbols for including multiple stylesheets at once, which also works with SRI.

  • :all: Includes all stylesheets found in the asset load path.
  • :app: Includes only stylesheets from app/assets/stylesheets.
<%# Include all stylesheets with integrity hashes %>
<%= stylesheet_link_tag :all, integrity: true %>

<%# Include only application-specific stylesheets with integrity hashes %>
<%= stylesheet_link_tag :app, integrity: true %>