JavaScript Integrity Monitoring

Know when your JavaScript changes

Every script on your site can change without you knowing — a new dependency, a modified file, or a compromised third party. Report URI fingerprints the JavaScript running in your users' browsers and tells you the moment one changes.

Third-Party Script Risk

You didn't write most of the JavaScript on your site

The scripts running in your users' browsers come from tag managers, analytics, payment widgets, and libraries you pulled in months ago. Any one of them can change at any time — and when it does, it's your page that runs the new code.

Silent Change

A dependency changes and you never see it

A third-party script gets updated at the source. The version your users load today isn't the one you reviewed. Nothing on your side flagged the change.

Supply Chain

A compromised library becomes your breach

British Airways lost £20,000,000 after an attacker edited a single file loading on their site. The code wasn't theirs. The penalty was.

Stale Inventory

A static inventory can't keep up

A spreadsheet of approved scripts reflects a moment in time, not what's executing right now. Scripts change continuously. A point-in-time list doesn't.

Script Fingerprinting

Fingerprint every script. Catch every change.

Report URI captures the integrity metadata of every JavaScript file loading on your site, identifies it against a database of nearly 13,000,000 verified fingerprints, and alerts you the moment anything changes.

CSP Integrity

Client-side visibility into every script

Captures integrity metadata directly from the browser to identify each script, verify its fingerprint against our database, and alert you the moment one changes. Detect compromised third- and fourth-party dependencies, spot scripts with known CVEs, and get guidance to patch vulnerable libraries before an attack takes hold.

Script Watch

Real-time change detection

Monitors every JavaScript dependency across your site and notifies you the moment one changes, moves, or a new one appears. An unexpected new dependency is one of the most reliable early indicators of a Magecart attack in progress.

Integrity Policy

Enforce Subresource Integrity coverage

Without SRI, a browser executes any script it receives — including a tampered one. Integrity Policy surfaces every script missing SRI coverage so you can enforce consistent protection across your whole estate and close the gaps attackers rely on.

Threat Intelligence

Know if a source is already known-bad

Script Watch tells you a script changed. Threat Intelligence tells you whether the source is known to be malicious, drawing on external and internally generated feeds of active threat data.

Deployment

Two lines of config. No agent. No risk.

Report URI uses integrity metadata built into every modern browser. There's no code or agent to deploy — we gather data from the browser loading your page and analyse it over time. Many CDN providers let you enable it straight from their dashboard.

This is client-side security that reads what's already happening in the browser. It adds nothing to your page and can't break what it monitors.

Collect integrity metadata — report-only, no enforcement
Content-Security-Policy-Report-Only:
  script-src 'report-sha256'; report-to default

At most two to three lines of config

No agent, no injected code

No performance impact

No risk of breaking your site

Works across Chrome, Safari, Firefox — every modern browser

Get Started

Start monitoring your JavaScript

Two lines of config. No infrastructure changes.

30-day free trial  ·  Two lines of config  ·  No agent  ·  Nearly 13,000,000 verified fingerprints

Scope

JavaScript integrity monitoring: what's covered

Report URI identifies every script executing in the browser, verifies it against a known-file database, detects changes as they happen, and produces an audit trail of that activity. That's what it's built to do.

Report URI covers Doesn't replace
Script fingerprinting and identification Penetration testing
Real-time change and tampering detection Secure code review
SRI coverage enforcement WAF or edge security
Known-CVE dependency detection Vulnerability remediation

Tools that promise to do all of it usually inject their own code into your pages — another script, another attack surface. Report URI doesn't. Nothing runs on your behalf, so nothing can break, slow down, or get compromised.

“Report URI has given us the capability to seamlessly build and roll out new Content Security Policies with a high level of confidence. The unopinionated and technology-agnostic nature of Report URI allowed us to integrate it directly and easily into our existing workflows, and to gain instant visibility into CSP reports. With Report URI's Script Watch product, we can meet our obligations under the new PCI DSS v4.0 requirements, in a way that meaningfully helps us monitor and assure the security of key components of the Paddle platform.”

Colin Barr, Head of InfoSec and IT  ·  Paddle