Integrating third-party resources into web pages, such as those from a Content Delivery Network (CDN), poses the risk that an attacker could potentially gain control of the third-party host and manipulate these resources. The Subresource Integrity (SRI) browser feature mitigates this risk by ensuring that only unaltered resources are used. It does this by including a cryptographic hash that the fetched resource must match.
Dynatrace RUM supports SRI through a dedicated tag format OneAgent JavaScript tag with SRI. It contains a hash for the RUM monitoring code. If the hash doesn't match the monitoring code received by the browser, the code won't be executed.
When Session Replay is enabled, the Session Replay monitoring code is injected into your page by the RUM JavaScript as an external resource, resulting in a separate request. Starting with RUM JavaScript version 1.309, if you use the OneAgent JavaScript tag with SRI, the RUM JavaScript will inject both the Session Replay monitoring code and a cryptographic hash to ensure its integrity.
Note that all connected ActiveGates must be on ActiveGate version 1.310+ for at least 30 days before this feature becomes available.
For auto-injected applications, the Real User monitoring code is, by default, delivered by OneAgent. To use SRI, you need to configure your application to request the monitoring code from the Dynatrace CDN as described in Configure the Real User Monitoring code source. This will allow you to select the necessary tag format.
The optimal approach to using SRI for an agentless application is to integrate the insertion of the OneAgent JavaScript tag with SRI into your build process via the API. This ensures that your application consistently operates with the latest configuration.
To get the OneAgent JavaScript tag with SRI from the web UI
Using the OneAgent JavaScript tag with SRI from the web UI is only recommended for test purposes.