Proposal for Implementing Subresource Integrity (SRI) with Plausible Analytics

To enhance the security of websites using Plausible Analytics, I recommend implementing Subresource Integrity (SRI) for the script tags provided by Plausible. SRI protects websites from malicious third-party alterations to scripts loaded from external sources.

Currently, the script integration method is as follows:

<script defer data-domain="[REDACTED].com" src="https://stats.[REDACGTED].com/js/script.js"></script>

After implementation of SRI, code should look like this:

<script defer data-domain="[REDACTED].com" src="https://stats.[REDACTED].com/js/script.js" integrity="sha256-<Your-Base64-Hash>" crossorigin="anonymous"></script>

This addition ensures that the browser verifies the fetched script against the hash before execution, safeguarding users against tampering and boosting overall trust in Plausible Analytics.

More about SRI you can find on https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

I hope you’ll consider this essential security enhancement.