This article explains how to implement Subresource Integrity (SRI) when self-hosting the Pendo Web SDK. SRI provides additional security by verifying that the Pendo Web SDK file that loads hasn't been modified. If the file's integrity hash doesn't match the expected value, the browser blocks the script, and Pendo will fail to initialize.
Limitations of SRI with a Pendo-hosted JS file
If you use a Pendo‑hosted JavaScript (JS) file with SRI, you’re likely to see the integrity check fail more often than expected. This is because the file Pendo serves can change without you updating your install script.
If you apply SRI to a Pendo‑hosted JS file, the integrity hash can break when:
- The Pendo agent version updates.
- You can reduce how often this happens by switching your agent settings from Latest stable to Manual so you control when the agent version changes.
- Application or subscription settings change, including:
- Enabling or changing options in Subscription settings or Application settings.
- Adding or removing staging environments.
- Adding or removing Page event properties or click event properties.
Because these changes update the Pendo JS file, they invalidate any previously calculated SRI hash.
For these reasons, we recommend self‑hosting the Pendo Web SDK if you must use SRI. When you self‑host, you control when the file changes, which helps prevent unexpected integrity failures from silently breaking your Pendo installation.
Implementing a self-hosted JS file with SRI
- Self-host Pendo’s Web SDK. See Self-hosting the Pendo Web SDK for more specific instructions.
- Generate a hash for the JavaScript file.
Note: Changing your implementation to a self-hosted web SDK will create additional developer work to maintain the latest version moving forward. Pendo continuously releases updates to the Pendo Web SDK, including feature enhancements and critical security updates, so make sure you have a plan moving forward to keep the web SDK up to date. You can subscribe to an RSS feed to get notified when web SDK updates are released.
Using SRI with staging environments
If you've defined staging servers in Settings > Staging, Pendo automatically uses a staging version of the web SDK, pendo-staging.js, when loaded from those environments. This behavior is controlled by your production web SDK's configuration using the stagingServers and stagingAgentUrl options.
Unfortunately, you cannot use an SRI hash with the stagingAgentUrl. Browsers will not apply integrity checks to dynamically loaded scripts. As a workaround, configure your environment to always use the production web SDK, even in staging:
- Remove all entries in your
stagingServerslist. - Ensure your production web SDK script (with SRI) loads in all environments.
Using this method allows you to use an SRI hash for staging environments and still view guides in "staged" status in your staging environments.