What is this?
SRI (Subresource Integrity) is a hash you add to every externally embedded script or
stylesheet tag (<script src="...">, <link rel="stylesheet">). The browser fetches the file, computes the
hash, and compares: if it differs, the file is not executed.
That protects you against compromised CDN providers and accidental file changes. If an attacker takes over the jQuery CDN and injects malicious code, the browser blocks the modified script on your page.
When do I need it?
As soon as you load scripts or stylesheets from a foreign server - typically CDN paths like cdnjs, jsdelivr, unpkg. For files from your own server path, SRI is
not needed.
Caveat: SRI only works for static file versions. With rotating versions (e.g. always "latest"), you must refresh the hash on every update - or pin the version in the URL.