Here's a curiosity which I found while stumbling through the Sony PlayStation store.
The website loads internally hosted scripts using SRI (SubResource Integrity). Why?
Does your work require you to swipe an ID card to access the building? That seems pretty normal.
Does your work also remind you to keep your badge visible, and to challenge people who aren't wearing theirs? That also seems pretty normal. Sometimes security is breached, so we have multiple layers to keep us safe.
In Sony's case, they may know that many people have write access to the
/assets/ directory, but very few can write to the product templates. So they add a further check even on code which they serve themselves.
This is defence in depth. But is it sensible?
If you're running a simple site, there's probably no benefit to this. If someone has the ability to maliciously alter a single JS file on your server, they probably have the ability to change the SRI hashes you're embedding.
But if you have a large and complicated infrastructure, it makes sense to double-check everything.
If you think I'm wrong - stick a comment in the box below.