pci_sri
The purpose of this module is to help Drupal sites meet PCI DSS requirements 6.4.3 (March 31, 2025) and 11.6.1 (March 31, 2025) by implementing SRI for modules and themes (contrib and custom).
Features
This module does the following:
- Generates custom SRI configuration for each Javascript file in the module and theme libraries.
- Adds an integrity attribute to
<script>elements with a Base64 encoded hash code.
Post-Installation
The module provides a Drush command to generate the SRI configuration ("drush sri-gen"). After generating SRI configuration go to /admin/structure/sri and review the configuration.
Clear cache ("drush cr"), and view the source code for a page on the site. Observe <script> elements have an integrity attribute.
Look at the browser console and verify there are no Javascript files being blocked due to the integrity attribute hash code not matching the browser computed hash code. Simulate a malicious actor and modify one of the non-aggregated Javascript files in an installed module or theme. Refresh the page and the browser console will show that the modified Javascript has been blocked.
If a legitimate modification is made to a Javascript file, run "drush sri-gen" to update the SRI configuration with a new hash code so the browser won't block the Javascript.
Note: This module does not currently add an integrity attribute to <script> elements for Drupal core Javascript files, aggregated Javascript files, or cloud-based Javascript.
Additional Requirements
None
Similar projects
There is a Drupal core issue with a patch which reportedly adds an integrity attribute to aggregated Javascript files. The external_script_sri contrib module provides a method to add an integrity attribute to cloud-based Javascript.