Add automatic Subresrouce Integrity generation to Wappler

This is a recommended security practice for any app that uses third-party resources (JS and CSS files) and can be required by other SaaS vendors when building apps that access data on their systems (e.g. Google).

Many of us use third-party resources in our apps ( e.g., jQuery, Bootstrap, Summernote), and it can be tedious to generate the SRI hashes manually and correct the resources on all pages.

Based on a recent scan of my app, I have 35 pages to correct.

This feature request will help ensure our apps are a little more secure and greatly reduce the effort required to manage this vulnerability.

This is great in theory, but the application inside Wappler requires more thought.

SRI hashes can be applied to assets like you mentioned, but certain assets that depend on external services, such as Stripe, Google Analytics and so on should not use SRI hashes, because these third-party providers may update their scripts from time to time.

A SRI hash should only be used when the asset being loaded is version-tagged.

Also, if you’re using templates, you can edit your main template to use SRI hashes so all your pages are updated as well.

Thanks for the additional insight, @Apple!

In this scenario, I’m running into these on a mobile app that doesn’t use a templating system. I tried to implement an SSI-style function within my app, but I ran into issues with app connect loading data properly, so I removed it.