Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

pci_sri

27 sites No security coverage
View on drupal.org

The purpose of this module is to help Drupal sites meet PCI DSS requirements 6.4.3 (March 31, 2025) and 11.6.1 (March 31, 2025) by implementing SRI for modules and themes (contrib and custom).

Features

This module does the following:

  • Generates custom SRI configuration for each Javascript file in the module and theme libraries.
  • Adds an integrity attribute to <script> elements with a Base64 encoded hash code.

Post-Installation

The module provides a Drush command to generate the SRI configuration ("drush sri-gen"). After generating SRI configuration go to /admin/structure/sri and review the configuration.

Clear cache ("drush cr"), and view the source code for a page on the site. Observe <script> elements have an integrity attribute.

Look at the browser console and verify there are no Javascript files being blocked due to the integrity attribute hash code not matching the browser computed hash code. Simulate a malicious actor and modify one of the non-aggregated Javascript files in an installed module or theme. Refresh the page and the browser console will show that the modified Javascript has been blocked.

If a legitimate modification is made to a Javascript file, run "drush sri-gen" to update the SRI configuration with a new hash code so the browser won't block the Javascript.

Note: This module does not currently add an integrity attribute to <script> elements for Drupal core Javascript files, aggregated Javascript files, or cloud-based Javascript.

Additional Requirements

None

Similar projects

There is a Drupal core issue with a patch which reportedly adds an integrity attribute to aggregated Javascript files. The external_script_sri contrib module provides a method to add an integrity attribute to cloud-based Javascript.

Activity

Total releases
3
First release
Mar 2025
Latest release
7 months ago
Release cadence
89 days
Stability
67% stable

Release Timeline

Releases

Version Type Release date
1.1.0 Stable Sep 12, 2025
1.1.x-dev Dev Sep 12, 2025
1.0.0 Stable Mar 19, 2025