Pinning the bootstrap script with Subresource Integrity
By default, the bootstrap scripts (bootstrap.js and mobile-bootstrap.js) auto-update: the URL stays the same and Insurely ships new content in place. This means you always run the latest version without any action on your side.
If your security policy requires you to verify the script before it runs, you can pin an immutable, content-hashed copy instead and verify it with Subresource Integrity (SRI). Its URL never changes content, so the integrity hash stays valid until you choose to adopt a new version.
The pinned embed snippet
Replace the plain script tag from the setup step with the pinned version below. The src points to the content-hashed filename, integrity carries the sha384 hash, and crossorigin="anonymous" is required for the browser to enforce the check.
<script
type="text/javascript"
src="https://blocks.insurely.com/assets/bootstrap.<hash>.js"
integrity="sha384-…"
crossorigin="anonymous"
></script>The same applies to the mobile bootstrap script:
<script
type="text/javascript"
src="https://blocks.insurely.com/assets/mobile-bootstrap.<hash>.js"
integrity="sha384-…"
crossorigin="anonymous"
></script>The pinned copy is byte-identical to the auto-updating original — it is the same
script, only served under an immutable URL. All configuration (window.insurely,
pre-filling, advisor attributes) works exactly the same.
Obtaining the filename and integrity value
Ask us for the current immutable filename and its sha384 integrity value for the entry you want to pin (bootstrap or mobile-bootstrap) — email support@insurely.com, or take them from the change notification we send you. We publish a new hashed filename each time the script changes, so requesting it ensures you pin the exact version we currently recommend rather than deriving it yourself.
Optionally, you can verify the integrity value we provide against the pinned file before you deploy:
# should match the `sha384-…` value we provided:
curl -s https://blocks.insurely.com/assets/bootstrap.<hash>.js | openssl dgst -sha384 -binary | openssl base64Trade-off
A pinned file does not auto-update. When we change the bootstrap script we publish a new hashed filename — the old one keeps working — and notify you so you can re-pin on your own schedule.
Pinning gives you a verifiable, immutable script at the cost of adopting new versions manually. When a new version is available you update both the src filename and the integrity value, then deploy on your own timeline.
When to pin vs. auto-update
| Use the pinned, immutable URL | Use the plain bootstrap.js |
|---|---|
| Your security policy requires SRI verification | You want the latest version automatically |
| You need to review and approve script changes before they go live | You don't require SRI |
| You can re-pin when Insurely notifies you of a new version | You prefer zero maintenance |
If you are unsure which option fits your requirements, contact us at support@insurely.com.
Last updated on