From abd24713f2a5fd57ef55fc3e1e37225cab1a7557 Mon Sep 17 00:00:00 2001
From: will Farrell <willfarrell@proton.me>
Date: Thu, 26 Feb 2026 11:28:54 -0700
Subject: [PATCH 1/6] feat: add support for Integrity-Policy & sri

Signed-off-by: will Farrell <willfarrell@proton.me>
---
 .../docs/98-reference/20-$app-integrity.md    |  5 ++
 packages/kit/scripts/generate-dts.js          |  1 +
 packages/kit/src/core/config/index.spec.js    |  7 ++-
 packages/kit/src/core/config/options.js       | 12 +++++
 packages/kit/src/core/sync/write_server.js    |  1 +
 packages/kit/src/exports/vite/index.js        | 18 +++++++
 .../kit/src/runtime/app/integrity/index.js    | 37 ++++++++++++++
 .../kit/src/runtime/app/integrity/types.d.ts  | 20 ++++++++
 .../kit/src/runtime/server/page/render.js     | 49 ++++++++++++++-----
 packages/kit/src/types/internal.d.ts          |  3 ++
 packages/kit/types/index.d.ts                 | 27 ++++++++++
 11 files changed, 168 insertions(+), 12 deletions(-)
 create mode 100644 documentation/docs/98-reference/20-$app-integrity.md
 create mode 100644 packages/kit/src/runtime/app/integrity/index.js
 create mode 100644 packages/kit/src/runtime/app/integrity/types.d.ts

diff --git a/documentation/docs/98-reference/20-$app-integrity.md b/documentation/docs/98-reference/20-$app-integrity.md
new file mode 100644
index 000000000000..e6f739f1ad41
--- /dev/null
+++ b/documentation/docs/98-reference/20-$app-integrity.md
@@ -0,0 +1,5 @@
+---
+title: $app/integrity
+---
+
+> MODULE: $app/integrity
diff --git a/packages/kit/scripts/generate-dts.js b/packages/kit/scripts/generate-dts.js
index b470d6d63494..ef9f3d8b4024 100644
--- a/packages/kit/scripts/generate-dts.js
+++ b/packages/kit/scripts/generate-dts.js
@@ -11,6 +11,7 @@ await createBundle({
 		'@sveltejs/kit/vite': 'src/exports/vite/index.js',
 		'$app/environment': 'src/runtime/app/environment/types.d.ts',
 		'$app/forms': 'src/runtime/app/forms.js',
+		'$app/integrity': 'src/runtime/app/integrity/types.d.ts',
 		'$app/navigation': 'src/runtime/app/navigation.js',
 		'$app/paths': 'src/runtime/app/paths/public.d.ts',
 		'$app/server': 'src/runtime/app/server/index.js',
diff --git a/packages/kit/src/core/config/index.spec.js b/packages/kit/src/core/config/index.spec.js
index 14ac3361701b..a9919e0be137 100644
--- a/packages/kit/src/core/config/index.spec.js
+++ b/packages/kit/src/core/config/index.spec.js
@@ -100,7 +100,11 @@ const get_defaults = (prefix = '') => ({
 		},
 		inlineStyleThreshold: 0,
 		moduleExtensions: ['.js', '.ts'],
-		output: { preloadStrategy: 'modulepreload', bundleStrategy: 'split' },
+		integrityPolicy: { endpoints: ['default'] },
+		output: {
+			preloadStrategy: 'modulepreload',
+			bundleStrategy: 'split'
+		},
 		outDir: join(prefix, '.svelte-kit'),
 		router: {
 			type: 'pathname',
@@ -109,6 +113,7 @@ const get_defaults = (prefix = '') => ({
 		serviceWorker: {
 			register: true
 		},
+		subresourceIntegrity: false,
 		typescript: {},
 		paths: {
 			base: '',
diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
index d16ba4253582..16e412e2637a 100644
--- a/packages/kit/src/core/config/options.js
+++ b/packages/kit/src/core/config/options.js
@@ -154,6 +154,10 @@ const options = object(
 
 			inlineStyleThreshold: number(0),
 
+			integrityPolicy: object({
+				endpoints: string_array(['default'])
+			}),
+
 			moduleExtensions: string_array(['.js', '.ts']),
 
 			outDir: string('.svelte-kit'),
@@ -304,6 +308,14 @@ const options = object(
 				files: fun((filename) => !/\.DS_Store/.test(filename))
 			}),
 
+			subresourceIntegrity: validate(false, (input, keypath) => {
+				if (input === false) return false;
+				if (!['sha256', 'sha384', 'sha512'].includes(input)) {
+					throw new Error(`${keypath} should be false, "sha256", "sha384" or "sha512"`);
+				}
+				return input;
+			}),
+
 			typescript: object({
 				config: fun((config) => config)
 			}),
diff --git a/packages/kit/src/core/sync/write_server.js b/packages/kit/src/core/sync/write_server.js
index ea7d9dfe0c99..f0b6e460b825 100644
--- a/packages/kit/src/core/sync/write_server.js
+++ b/packages/kit/src/core/sync/write_server.js
@@ -47,6 +47,7 @@ export const options = {
 	hash_routing: ${s(config.kit.router.type === 'hash')},
 	hooks: null, // added lazily, via \`get_hooks\`
 	preload_strategy: ${s(config.kit.output.preloadStrategy)},
+	integrity_policy_endpoints: ${s(config.kit.integrityPolicy.endpoints)},
 	root,
 	service_worker: ${has_service_worker},
 	service_worker_options: ${config.kit.serviceWorker.register ? s(config.kit.serviceWorker.options) : 'null'},
diff --git a/packages/kit/src/exports/vite/index.js b/packages/kit/src/exports/vite/index.js
index 72db04111e56..8d995cba8ec0 100644
--- a/packages/kit/src/exports/vite/index.js
+++ b/packages/kit/src/exports/vite/index.js
@@ -1,3 +1,4 @@
+import { createHash } from 'node:crypto';
 import fs from 'node:fs';
 import path from 'node:path';
 import process from 'node:process';
@@ -1269,6 +1270,23 @@ async function kit({ svelte_config }) {
 					}
 				}
 
+				// Compute SRI integrity hashes
+				if (build_data.client && svelte_config.kit.subresourceIntegrity) {
+					const algorithm = svelte_config.kit.subresourceIntegrity;
+					/** @type {Record<string, string>} */
+					const integrity = {};
+
+					for (const chunk of /** @type {import('vite').Rollup.OutputBundle[string][]} */ (
+						client_chunks
+					)) {
+						const content = chunk.type === 'chunk' ? chunk.code : chunk.source;
+						const hash = createHash(algorithm).update(content).digest('base64');
+						integrity[chunk.fileName] = `${algorithm}-${hash}`;
+					}
+
+					build_data.client.integrity = integrity;
+				}
+
 				// regenerate manifest now that we have client entry...
 				fs.writeFileSync(
 					manifest_path,
diff --git a/packages/kit/src/runtime/app/integrity/index.js b/packages/kit/src/runtime/app/integrity/index.js
new file mode 100644
index 000000000000..f15d8533e6a4
--- /dev/null
+++ b/packages/kit/src/runtime/app/integrity/index.js
@@ -0,0 +1,37 @@
+import { BROWSER } from 'esm-env';
+import { manifest } from '__sveltekit/server';
+import { initial_base } from '$app/paths/internal/server';
+
+/**
+ * @param {string} url
+ * @returns {string | undefined}
+ */
+function server_integrity(url) {
+	const integrity_map = manifest?._.client.integrity;
+	if (!integrity_map) return undefined;
+
+	// Integrity map keys are like "_app/immutable/assets/foo.abc123.js"
+	// URLs from ?url imports are absolute: "/_app/immutable/assets/foo.abc123.js"
+	// or with base: "/my-base/_app/immutable/assets/foo.abc123.js"
+	//
+	// We use initial_base (not base) because base can be overridden to a relative
+	// path during rendering when paths.relative is true, while ?url imports are
+	// always absolute.
+	const prefix = (initial_base || '') + '/';
+	if (url.startsWith(prefix)) {
+		return integrity_map[url.slice(prefix.length)];
+	}
+
+	return undefined;
+}
+
+/**
+ * Look up the SRI integrity hash for a Vite-processed asset URL.
+ * Returns the integrity string (e.g. `"sha384-..."`) during SSR, or `undefined` on the client / in dev.
+ * @param {string} url
+ * @returns {string | undefined}
+ */
+export function integrity(url) {
+	if (BROWSER) return undefined;
+	return server_integrity(url);
+}
diff --git a/packages/kit/src/runtime/app/integrity/types.d.ts b/packages/kit/src/runtime/app/integrity/types.d.ts
new file mode 100644
index 000000000000..8113311ab0f0
--- /dev/null
+++ b/packages/kit/src/runtime/app/integrity/types.d.ts
@@ -0,0 +1,20 @@
+/**
+ * Look up the SRI integrity hash for a Vite-processed asset URL.
+ * Returns the integrity string (e.g. `"sha384-..."`) during SSR when
+ * [`subresourceIntegrity`](https://svelte.dev/docs/kit/configuration#subresourceIntegrity) is enabled,
+ * or `undefined` on the client and in dev.
+ *
+ * ```svelte
+ * <script>
+ *   import scriptUrl from "./my-script.js?url";
+ *   import { integrity } from '$app/integrity';
+ * </script>
+ *
+ * <svelte:head>
+ *   <script src="{scriptUrl}" type="module" integrity={integrity(scriptUrl)} crossorigin="anonymous"></script>
+ * </svelte:head>
+ * ```
+ * @param url The asset URL (e.g. from a `?url` import)
+ * @since 2.54.0
+ */
+export function integrity(url: string): string | undefined;
diff --git a/packages/kit/src/runtime/server/page/render.js b/packages/kit/src/runtime/server/page/render.js
index 7648a757e02c..e364e98ea816 100644
--- a/packages/kit/src/runtime/server/page/render.js
+++ b/packages/kit/src/runtime/server/page/render.js
@@ -69,6 +69,7 @@ export async function render_response({
 	}
 
 	const { client } = manifest._;
+	const integrity_map = client.integrity;
 
 	const modulepreloads = new Set(client.imports);
 	const stylesheets = new Set(client.stylesheets);
@@ -301,6 +302,10 @@ export async function render_response({
 			// include them in disabled state so that Vite can detect them and doesn't try to add them
 			attributes.push('disabled', 'media="(max-width: 0)"');
 		} else {
+			const integrity = integrity_map?.[dep];
+			if (integrity) {
+				attributes.push(`integrity="${integrity}"`, 'crossorigin="anonymous"');
+			}
 			if (resolve_opts.preload({ type: 'css', path })) {
 				link_headers.add(`<${encodeURI(path)}>; rel="preload"; as="style"; nopush`);
 			}
@@ -342,18 +347,30 @@ export async function render_response({
 		}
 
 		if (!client.inline) {
-			const included_modulepreloads = Array.from(modulepreloads, (dep) => prefixed(dep)).filter(
-				(path) => resolve_opts.preload({ type: 'js', path })
-			);
+			for (const dep of modulepreloads) {
+				const path = prefixed(dep);
+				if (!resolve_opts.preload({ type: 'js', path })) continue;
+
+				const integrity = integrity_map?.[dep];
 
-			for (const path of included_modulepreloads) {
 				// see the kit.output.preloadStrategy option for details on why we have multiple options here
 				link_headers.add(`<${encodeURI(path)}>; rel="modulepreload"; nopush`);
 
 				if (options.preload_strategy !== 'modulepreload') {
-					head.add_script_preload(path);
+					const attrs = ['rel="preload"', 'as="script"', 'crossorigin="anonymous"'];
+					if (integrity) {
+						attrs.push(`integrity="${integrity}"`);
+					}
+					head.add_script_preload(path, attrs);
 				} else {
-					head.add_link_tag(path, ['rel="modulepreload"']);
+					const attrs = ['rel="modulepreload"'];
+					if (integrity) {
+						// Must emit HTML tag (not just Link header) for SRI to work
+						attrs.push(`integrity="${integrity}"`, 'crossorigin="anonymous"');
+						head.add_script_preload(path, attrs);
+					} else {
+						head.add_link_tag(path, attrs);
+					}
 				}
 			}
 		}
@@ -598,6 +615,15 @@ export async function render_response({
 		if (link_headers.size) {
 			headers.set('link', Array.from(link_headers).join(', '));
 		}
+
+		if (integrity_map) {
+			const destinations = 'script style';
+			const endpoints = options.integrity_policy_endpoints.join(' ');
+			headers.set(
+				'integrity-policy',
+				`blocked-destinations=(${destinations}),endpoints=(${endpoints})`
+			);
+		}
 	}
 
 	const html = options.templates.app({
@@ -712,11 +738,12 @@ class Head {
 		this.#stylesheet_links.push(`<link href="${href}" ${attributes.join(' ')}>`);
 	}
 
-	/** @param {string} href */
-	add_script_preload(href) {
-		this.#script_preloads.push(
-			`<link rel="preload" as="script" crossorigin="anonymous" href="${href}">`
-		);
+	/**
+	 * @param {string} href
+	 * @param {string[]} attributes
+	 */
+	add_script_preload(href, attributes) {
+		this.#script_preloads.push(`<link href="${href}" ${attributes.join(' ')}>`);
 	}
 
 	/**
diff --git a/packages/kit/src/types/internal.d.ts b/packages/kit/src/types/internal.d.ts
index 0be5b25d7655..991b0ee21e81 100644
--- a/packages/kit/src/types/internal.d.ts
+++ b/packages/kit/src/types/internal.d.ts
@@ -100,6 +100,8 @@ export interface BuildData {
 		stylesheets: string[];
 		fonts: string[];
 		uses_env_dynamic_public: boolean;
+		/** Maps asset file paths to SRI integrity strings (e.g. "sha384-..."). Only set when `subresourceIntegrity` is enabled. */
+		integrity?: Record<string, string>;
 		/** Only set in case of `bundleStrategy === 'inline'`. */
 		inline?: {
 			script: string;
@@ -478,6 +480,7 @@ export interface SSROptions {
 		}): string;
 		error(values: { message: string; status: number }): string;
 	};
+	integrity_policy_endpoints: string[];
 	version_hash: string;
 }
 
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
index 7d7b33a81863..c9459c2b5189 100644
--- a/packages/kit/types/index.d.ts
+++ b/packages/kit/types/index.d.ts
@@ -2451,6 +2451,8 @@ declare module '@sveltejs/kit' {
 			stylesheets: string[];
 			fonts: string[];
 			uses_env_dynamic_public: boolean;
+			/** Maps asset file paths to SRI integrity strings (e.g. "sha384-..."). Only set when `subresourceIntegrity` is enabled. */
+			integrity?: Record<string, string>;
 			/** Only set in case of `bundleStrategy === 'inline'`. */
 			inline?: {
 				script: string;
@@ -2998,6 +3000,31 @@ declare module '$app/forms' {
 	export {};
 }
 
+declare module '$app/integrity' {
+	/**
+	 * Look up the SRI integrity hash for a Vite-processed asset URL.
+	 * Returns the integrity string (e.g. `"sha384-..."`) during SSR when
+	 * [`subresourceIntegrity`](https://svelte.dev/docs/kit/configuration#subresourceIntegrity) is enabled,
+	 * or `undefined` on the client and in dev.
+	 *
+	 * ```svelte
+	 * <script>
+	 *   import scriptUrl from "./my-script.js?url";
+	 *   import { integrity } from '$app/integrity';
+	 * </script>
+	 *
+	 * <svelte:head>
+	 *   <script src="{scriptUrl}" type="module" integrity={integrity(scriptUrl)} crossorigin="anonymous"></script>
+	 * </svelte:head>
+	 * ```
+	 * @param url The asset URL (e.g. from a `?url` import)
+	 * @since 2.54.0
+	 */
+	export function integrity(url: string): string | undefined;
+
+	export {};
+}
+
 declare module '$app/navigation' {
 	/**
 	 * A lifecycle function that runs the supplied `callback` when the current component mounts, and also whenever we navigate to a URL.

From 28d2e2f5bcf8fa5e72bb3f48353413dc512c6480 Mon Sep 17 00:00:00 2001
From: will Farrell <willfarrell@proton.me>
Date: Thu, 26 Feb 2026 11:47:54 -0700
Subject: [PATCH 2/6] test: add in proper test and types

Signed-off-by: will Farrell <willfarrell@proton.me>
---
 packages/kit/src/exports/public.d.ts          | 15 ++++++
 packages/kit/test/apps/options-4/package.json | 22 +++++++++
 .../test/apps/options-4/playwright.config.js  |  1 +
 packages/kit/test/apps/options-4/src/app.html | 11 +++++
 .../apps/options-4/src/routes/+layout.svelte  |  7 +++
 .../apps/options-4/src/routes/+page.svelte    |  1 +
 .../options-4/src/routes/styled/+page.svelte  |  7 +++
 .../kit/test/apps/options-4/svelte.config.js  | 11 +++++
 packages/kit/test/apps/options-4/test/test.js | 49 +++++++++++++++++++
 .../kit/test/apps/options-4/tsconfig.json     |  8 +++
 .../kit/test/apps/options-4/vite.config.js    | 18 +++++++
 packages/kit/types/index.d.ts                 | 15 ++++++
 pnpm-lock.yaml                                | 21 ++++++++
 13 files changed, 186 insertions(+)
 create mode 100644 packages/kit/test/apps/options-4/package.json
 create mode 100644 packages/kit/test/apps/options-4/playwright.config.js
 create mode 100644 packages/kit/test/apps/options-4/src/app.html
 create mode 100644 packages/kit/test/apps/options-4/src/routes/+layout.svelte
 create mode 100644 packages/kit/test/apps/options-4/src/routes/+page.svelte
 create mode 100644 packages/kit/test/apps/options-4/src/routes/styled/+page.svelte
 create mode 100644 packages/kit/test/apps/options-4/svelte.config.js
 create mode 100644 packages/kit/test/apps/options-4/test/test.js
 create mode 100644 packages/kit/test/apps/options-4/tsconfig.json
 create mode 100644 packages/kit/test/apps/options-4/vite.config.js

diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
index b620044814d5..59ba19b62771 100644
--- a/packages/kit/src/exports/public.d.ts
+++ b/packages/kit/src/exports/public.d.ts
@@ -597,6 +597,16 @@ export interface KitConfig {
 	 * @default 0
 	 */
 	inlineStyleThreshold?: number;
+	/**
+	 * Configuration for the [`Integrity-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy) response header, which is set when `subresourceIntegrity` is enabled.
+	 */
+	integrityPolicy?: {
+		/**
+		 * The reporting endpoints to include in the `Integrity-Policy` header.
+		 * @default ["default"]
+		 */
+		endpoints?: string[];
+	};
 	/**
 	 * An array of file extensions that SvelteKit will treat as modules. Files with extensions that match neither `config.extensions` nor `config.kit.moduleExtensions` will be ignored by the router.
 	 * @default [".js", ".ts"]
@@ -846,6 +856,11 @@ export interface KitConfig {
 				register?: false;
 		  }
 	);
+	/**
+	 * Enable [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) (SRI) hash generation for scripts and stylesheets. When set to a hash algorithm, SvelteKit will compute integrity hashes for all client assets at build time and add `integrity` and `crossorigin` attributes to `<link>` and `<script>` tags.
+	 * @default false
+	 */
+	subresourceIntegrity?: false | 'sha256' | 'sha384' | 'sha512';
 	typescript?: {
 		/**
 		 * A function that allows you to edit the generated `tsconfig.json`. You can mutate the config (recommended) or return a new one.
diff --git a/packages/kit/test/apps/options-4/package.json b/packages/kit/test/apps/options-4/package.json
new file mode 100644
index 000000000000..a58385f3f30a
--- /dev/null
+++ b/packages/kit/test/apps/options-4/package.json
@@ -0,0 +1,22 @@
+{
+	"name": "test-options-4",
+	"private": true,
+	"version": "0.0.1",
+	"scripts": {
+		"dev": "vite dev",
+		"build": "vite build",
+		"preview": "vite preview",
+		"prepare": "svelte-kit sync",
+		"check": "svelte-kit sync && tsc && svelte-check",
+		"test": "playwright test"
+	},
+	"devDependencies": {
+		"@sveltejs/kit": "workspace:^",
+		"@sveltejs/vite-plugin-svelte": "catalog:",
+		"svelte": "catalog:",
+		"svelte-check": "catalog:",
+		"typescript": "^5.5.4",
+		"vite": "catalog:"
+	},
+	"type": "module"
+}
diff --git a/packages/kit/test/apps/options-4/playwright.config.js b/packages/kit/test/apps/options-4/playwright.config.js
new file mode 100644
index 000000000000..33d36b651014
--- /dev/null
+++ b/packages/kit/test/apps/options-4/playwright.config.js
@@ -0,0 +1 @@
+export { config as default } from '../../utils.js';
diff --git a/packages/kit/test/apps/options-4/src/app.html b/packages/kit/test/apps/options-4/src/app.html
new file mode 100644
index 000000000000..b8ba4699b2ba
--- /dev/null
+++ b/packages/kit/test/apps/options-4/src/app.html
@@ -0,0 +1,11 @@
+<!doctype html>
+<html lang="en">
+	<head>
+		<meta charset="utf-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		%sveltekit.head%
+	</head>
+	<body>
+		<div style="display: contents">%sveltekit.body%</div>
+	</body>
+</html>
diff --git a/packages/kit/test/apps/options-4/src/routes/+layout.svelte b/packages/kit/test/apps/options-4/src/routes/+layout.svelte
new file mode 100644
index 000000000000..5e1f1fed86c2
--- /dev/null
+++ b/packages/kit/test/apps/options-4/src/routes/+layout.svelte
@@ -0,0 +1,7 @@
+<script>
+	import { setup } from '../../../../setup.js';
+
+	setup();
+</script>
+
+<slot />
diff --git a/packages/kit/test/apps/options-4/src/routes/+page.svelte b/packages/kit/test/apps/options-4/src/routes/+page.svelte
new file mode 100644
index 000000000000..d5002f962ef9
--- /dev/null
+++ b/packages/kit/test/apps/options-4/src/routes/+page.svelte
@@ -0,0 +1 @@
+<h1>SRI test</h1>
diff --git a/packages/kit/test/apps/options-4/src/routes/styled/+page.svelte b/packages/kit/test/apps/options-4/src/routes/styled/+page.svelte
new file mode 100644
index 000000000000..d7eadd1e22d5
--- /dev/null
+++ b/packages/kit/test/apps/options-4/src/routes/styled/+page.svelte
@@ -0,0 +1,7 @@
+<h1 class="styled">Styled page</h1>
+
+<style>
+	.styled {
+		color: red;
+	}
+</style>
diff --git a/packages/kit/test/apps/options-4/svelte.config.js b/packages/kit/test/apps/options-4/svelte.config.js
new file mode 100644
index 000000000000..1ec96b3cbc8d
--- /dev/null
+++ b/packages/kit/test/apps/options-4/svelte.config.js
@@ -0,0 +1,11 @@
+/** @type {import('@sveltejs/kit').Config} */
+const config = {
+	kit: {
+		subresourceIntegrity: 'sha384',
+		integrityPolicy: {
+			endpoints: ['default']
+		}
+	}
+};
+
+export default config;
diff --git a/packages/kit/test/apps/options-4/test/test.js b/packages/kit/test/apps/options-4/test/test.js
new file mode 100644
index 000000000000..0df4cdcdbe2a
--- /dev/null
+++ b/packages/kit/test/apps/options-4/test/test.js
@@ -0,0 +1,49 @@
+import process from 'node:process';
+import { expect } from '@playwright/test';
+import { test } from '../../../utils.js';
+
+test.describe.configure({ mode: 'parallel' });
+
+test.describe('subresourceIntegrity', () => {
+	test.skip(() => !!process.env.DEV);
+
+	test('adds integrity attribute to script preloads', async ({ request }) => {
+		const response = await request.get('/');
+		const html = await response.text();
+
+		// All preloaded scripts should have integrity attributes
+		const link_tags = html.match(/<link[^>]+>/g) ?? [];
+		const script_links = link_tags.filter(
+			(tag) => tag.includes('as="script"') || tag.includes('rel="modulepreload"')
+		);
+
+		expect(script_links.length).toBeGreaterThan(0);
+
+		for (const tag of script_links) {
+			expect(tag).toMatch(/integrity="sha384-[A-Za-z0-9+/=]+"/);
+			expect(tag).toContain('crossorigin="anonymous"');
+		}
+	});
+
+	test('adds integrity attribute to stylesheet links', async ({ request }) => {
+		const response = await request.get('/styled');
+		const html = await response.text();
+
+		const link_tags = html.match(/<link[^>]+>/g) ?? [];
+		const stylesheet_links = link_tags.filter((tag) => tag.includes('rel="stylesheet"'));
+
+		expect(stylesheet_links.length).toBeGreaterThan(0);
+
+		for (const tag of stylesheet_links) {
+			expect(tag).toMatch(/integrity="sha384-[A-Za-z0-9+/=]+"/);
+			expect(tag).toContain('crossorigin="anonymous"');
+		}
+	});
+
+	test('sets integrity-policy response header', async ({ request }) => {
+		const response = await request.get('/');
+		const header = response.headers()['integrity-policy'];
+
+		expect(header).toBe('blocked-destinations=(script style),endpoints=(default)');
+	});
+});
diff --git a/packages/kit/test/apps/options-4/tsconfig.json b/packages/kit/test/apps/options-4/tsconfig.json
new file mode 100644
index 000000000000..b1096bf168cd
--- /dev/null
+++ b/packages/kit/test/apps/options-4/tsconfig.json
@@ -0,0 +1,8 @@
+{
+	"compilerOptions": {
+		"allowJs": true,
+		"checkJs": true,
+		"noEmit": true
+	},
+	"extends": "./.svelte-kit/tsconfig.json"
+}
diff --git a/packages/kit/test/apps/options-4/vite.config.js b/packages/kit/test/apps/options-4/vite.config.js
new file mode 100644
index 000000000000..69200cdb7cd8
--- /dev/null
+++ b/packages/kit/test/apps/options-4/vite.config.js
@@ -0,0 +1,18 @@
+import * as path from 'node:path';
+import { sveltekit } from '@sveltejs/kit/vite';
+
+/** @type {import('vite').UserConfig} */
+const config = {
+	build: {
+		minify: false
+	},
+	clearScreen: false,
+	plugins: [sveltekit()],
+	server: {
+		fs: {
+			allow: [path.resolve('../../../src')]
+		}
+	}
+};
+
+export default config;
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
index c9459c2b5189..3fd2fbb16332 100644
--- a/packages/kit/types/index.d.ts
+++ b/packages/kit/types/index.d.ts
@@ -571,6 +571,16 @@ declare module '@sveltejs/kit' {
 		 * @default 0
 		 */
 		inlineStyleThreshold?: number;
+		/**
+		 * Configuration for the [`Integrity-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy) response header, which is set when `subresourceIntegrity` is enabled.
+		 */
+		integrityPolicy?: {
+			/**
+			 * The reporting endpoints to include in the `Integrity-Policy` header.
+			 * @default ["default"]
+			 */
+			endpoints?: string[];
+		};
 		/**
 		 * An array of file extensions that SvelteKit will treat as modules. Files with extensions that match neither `config.extensions` nor `config.kit.moduleExtensions` will be ignored by the router.
 		 * @default [".js", ".ts"]
@@ -820,6 +830,11 @@ declare module '@sveltejs/kit' {
 					register?: false;
 			  }
 		);
+		/**
+		 * Enable [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) (SRI) hash generation for scripts and stylesheets. When set to a hash algorithm, SvelteKit will compute integrity hashes for all client assets at build time and add `integrity` and `crossorigin` attributes to `<link>` and `<script>` tags.
+		 * @default false
+		 */
+		subresourceIntegrity?: false | 'sha256' | 'sha384' | 'sha512';
 		typescript?: {
 			/**
 			 * A function that allows you to edit the generated `tsconfig.json`. You can mutate the config (recommended) or return a new one.
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 743bd8a0d9b9..83af1878b0a6 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -903,6 +903,27 @@ importers:
         specifier: 'catalog:'
         version: 6.4.1(@types/node@18.19.119)(jiti@2.4.2)(lightningcss@1.30.1)(yaml@2.8.0)
 
+  packages/kit/test/apps/options-4:
+    devDependencies:
+      '@sveltejs/kit':
+        specifier: workspace:^
+        version: link:../../..
+      '@sveltejs/vite-plugin-svelte':
+        specifier: 'catalog:'
+        version: 6.2.4(svelte@5.53.5)(vite@6.4.1(@types/node@18.19.119)(jiti@2.4.2)(lightningcss@1.30.1)(yaml@2.8.0))
+      svelte:
+        specifier: 'catalog:'
+        version: 5.53.5
+      svelte-check:
+        specifier: 'catalog:'
+        version: 4.3.4(picomatch@4.0.3)(svelte@5.53.5)(typescript@5.8.3)
+      typescript:
+        specifier: ^5.5.4
+        version: 5.8.3
+      vite:
+        specifier: 'catalog:'
+        version: 6.4.1(@types/node@18.19.119)(jiti@2.4.2)(lightningcss@1.30.1)(yaml@2.8.0)
+
   packages/kit/test/apps/prerendered-app-error-pages:
     devDependencies:
       '@sveltejs/kit':

From 4839b7bad4721980174563067cda81ac4c300240 Mon Sep 17 00:00:00 2001
From: will Farrell <willfarrell@proton.me>
Date: Thu, 26 Feb 2026 12:21:14 -0700
Subject: [PATCH 3/6] test: integrate tests into shared app test

Signed-off-by: will Farrell <willfarrell@proton.me>
---
 packages/kit/test/apps/options-4/package.json | 22 -----
 .../test/apps/options-4/playwright.config.js  |  1 -
 packages/kit/test/apps/options-4/src/app.html | 11 ---
 .../apps/options-4/src/routes/+layout.svelte  |  7 --
 .../apps/options-4/src/routes/+page.svelte    |  1 -
 .../options-4/src/routes/styled/+page.svelte  |  7 --
 .../kit/test/apps/options-4/svelte.config.js  | 11 ---
 packages/kit/test/apps/options-4/test/test.js | 49 ----------
 .../kit/test/apps/options-4/tsconfig.json     |  8 --
 .../kit/test/apps/options-4/vite.config.js    | 18 ----
 .../source/pages/integrity/+page.svelte       | 13 +++
 .../source/pages/integrity/bootstrap.js       |  1 +
 .../kit/test/apps/options/svelte.config.js    |  4 +
 packages/kit/test/apps/options/test/test.js   | 89 +++++++++++++++++++
 14 files changed, 107 insertions(+), 135 deletions(-)
 delete mode 100644 packages/kit/test/apps/options-4/package.json
 delete mode 100644 packages/kit/test/apps/options-4/playwright.config.js
 delete mode 100644 packages/kit/test/apps/options-4/src/app.html
 delete mode 100644 packages/kit/test/apps/options-4/src/routes/+layout.svelte
 delete mode 100644 packages/kit/test/apps/options-4/src/routes/+page.svelte
 delete mode 100644 packages/kit/test/apps/options-4/src/routes/styled/+page.svelte
 delete mode 100644 packages/kit/test/apps/options-4/svelte.config.js
 delete mode 100644 packages/kit/test/apps/options-4/test/test.js
 delete mode 100644 packages/kit/test/apps/options-4/tsconfig.json
 delete mode 100644 packages/kit/test/apps/options-4/vite.config.js
 create mode 100644 packages/kit/test/apps/options/source/pages/integrity/+page.svelte
 create mode 100644 packages/kit/test/apps/options/source/pages/integrity/bootstrap.js

diff --git a/packages/kit/test/apps/options-4/package.json b/packages/kit/test/apps/options-4/package.json
deleted file mode 100644
index a58385f3f30a..000000000000
--- a/packages/kit/test/apps/options-4/package.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-	"name": "test-options-4",
-	"private": true,
-	"version": "0.0.1",
-	"scripts": {
-		"dev": "vite dev",
-		"build": "vite build",
-		"preview": "vite preview",
-		"prepare": "svelte-kit sync",
-		"check": "svelte-kit sync && tsc && svelte-check",
-		"test": "playwright test"
-	},
-	"devDependencies": {
-		"@sveltejs/kit": "workspace:^",
-		"@sveltejs/vite-plugin-svelte": "catalog:",
-		"svelte": "catalog:",
-		"svelte-check": "catalog:",
-		"typescript": "^5.5.4",
-		"vite": "catalog:"
-	},
-	"type": "module"
-}
diff --git a/packages/kit/test/apps/options-4/playwright.config.js b/packages/kit/test/apps/options-4/playwright.config.js
deleted file mode 100644
index 33d36b651014..000000000000
--- a/packages/kit/test/apps/options-4/playwright.config.js
+++ /dev/null
@@ -1 +0,0 @@
-export { config as default } from '../../utils.js';
diff --git a/packages/kit/test/apps/options-4/src/app.html b/packages/kit/test/apps/options-4/src/app.html
deleted file mode 100644
index b8ba4699b2ba..000000000000
--- a/packages/kit/test/apps/options-4/src/app.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<!doctype html>
-<html lang="en">
-	<head>
-		<meta charset="utf-8" />
-		<meta name="viewport" content="width=device-width, initial-scale=1" />
-		%sveltekit.head%
-	</head>
-	<body>
-		<div style="display: contents">%sveltekit.body%</div>
-	</body>
-</html>
diff --git a/packages/kit/test/apps/options-4/src/routes/+layout.svelte b/packages/kit/test/apps/options-4/src/routes/+layout.svelte
deleted file mode 100644
index 5e1f1fed86c2..000000000000
--- a/packages/kit/test/apps/options-4/src/routes/+layout.svelte
+++ /dev/null
@@ -1,7 +0,0 @@
-<script>
-	import { setup } from '../../../../setup.js';
-
-	setup();
-</script>
-
-<slot />
diff --git a/packages/kit/test/apps/options-4/src/routes/+page.svelte b/packages/kit/test/apps/options-4/src/routes/+page.svelte
deleted file mode 100644
index d5002f962ef9..000000000000
--- a/packages/kit/test/apps/options-4/src/routes/+page.svelte
+++ /dev/null
@@ -1 +0,0 @@
-<h1>SRI test</h1>
diff --git a/packages/kit/test/apps/options-4/src/routes/styled/+page.svelte b/packages/kit/test/apps/options-4/src/routes/styled/+page.svelte
deleted file mode 100644
index d7eadd1e22d5..000000000000
--- a/packages/kit/test/apps/options-4/src/routes/styled/+page.svelte
+++ /dev/null
@@ -1,7 +0,0 @@
-<h1 class="styled">Styled page</h1>
-
-<style>
-	.styled {
-		color: red;
-	}
-</style>
diff --git a/packages/kit/test/apps/options-4/svelte.config.js b/packages/kit/test/apps/options-4/svelte.config.js
deleted file mode 100644
index 1ec96b3cbc8d..000000000000
--- a/packages/kit/test/apps/options-4/svelte.config.js
+++ /dev/null
@@ -1,11 +0,0 @@
-/** @type {import('@sveltejs/kit').Config} */
-const config = {
-	kit: {
-		subresourceIntegrity: 'sha384',
-		integrityPolicy: {
-			endpoints: ['default']
-		}
-	}
-};
-
-export default config;
diff --git a/packages/kit/test/apps/options-4/test/test.js b/packages/kit/test/apps/options-4/test/test.js
deleted file mode 100644
index 0df4cdcdbe2a..000000000000
--- a/packages/kit/test/apps/options-4/test/test.js
+++ /dev/null
@@ -1,49 +0,0 @@
-import process from 'node:process';
-import { expect } from '@playwright/test';
-import { test } from '../../../utils.js';
-
-test.describe.configure({ mode: 'parallel' });
-
-test.describe('subresourceIntegrity', () => {
-	test.skip(() => !!process.env.DEV);
-
-	test('adds integrity attribute to script preloads', async ({ request }) => {
-		const response = await request.get('/');
-		const html = await response.text();
-
-		// All preloaded scripts should have integrity attributes
-		const link_tags = html.match(/<link[^>]+>/g) ?? [];
-		const script_links = link_tags.filter(
-			(tag) => tag.includes('as="script"') || tag.includes('rel="modulepreload"')
-		);
-
-		expect(script_links.length).toBeGreaterThan(0);
-
-		for (const tag of script_links) {
-			expect(tag).toMatch(/integrity="sha384-[A-Za-z0-9+/=]+"/);
-			expect(tag).toContain('crossorigin="anonymous"');
-		}
-	});
-
-	test('adds integrity attribute to stylesheet links', async ({ request }) => {
-		const response = await request.get('/styled');
-		const html = await response.text();
-
-		const link_tags = html.match(/<link[^>]+>/g) ?? [];
-		const stylesheet_links = link_tags.filter((tag) => tag.includes('rel="stylesheet"'));
-
-		expect(stylesheet_links.length).toBeGreaterThan(0);
-
-		for (const tag of stylesheet_links) {
-			expect(tag).toMatch(/integrity="sha384-[A-Za-z0-9+/=]+"/);
-			expect(tag).toContain('crossorigin="anonymous"');
-		}
-	});
-
-	test('sets integrity-policy response header', async ({ request }) => {
-		const response = await request.get('/');
-		const header = response.headers()['integrity-policy'];
-
-		expect(header).toBe('blocked-destinations=(script style),endpoints=(default)');
-	});
-});
diff --git a/packages/kit/test/apps/options-4/tsconfig.json b/packages/kit/test/apps/options-4/tsconfig.json
deleted file mode 100644
index b1096bf168cd..000000000000
--- a/packages/kit/test/apps/options-4/tsconfig.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-	"compilerOptions": {
-		"allowJs": true,
-		"checkJs": true,
-		"noEmit": true
-	},
-	"extends": "./.svelte-kit/tsconfig.json"
-}
diff --git a/packages/kit/test/apps/options-4/vite.config.js b/packages/kit/test/apps/options-4/vite.config.js
deleted file mode 100644
index 69200cdb7cd8..000000000000
--- a/packages/kit/test/apps/options-4/vite.config.js
+++ /dev/null
@@ -1,18 +0,0 @@
-import * as path from 'node:path';
-import { sveltekit } from '@sveltejs/kit/vite';
-
-/** @type {import('vite').UserConfig} */
-const config = {
-	build: {
-		minify: false
-	},
-	clearScreen: false,
-	plugins: [sveltekit()],
-	server: {
-		fs: {
-			allow: [path.resolve('../../../src')]
-		}
-	}
-};
-
-export default config;
diff --git a/packages/kit/test/apps/options/source/pages/integrity/+page.svelte b/packages/kit/test/apps/options/source/pages/integrity/+page.svelte
new file mode 100644
index 000000000000..1e2689421b85
--- /dev/null
+++ b/packages/kit/test/apps/options/source/pages/integrity/+page.svelte
@@ -0,0 +1,13 @@
+<script>
+	import { integrity } from '$app/integrity';
+	import bootstrapUrl from './bootstrap.js?url';
+
+	const hash = integrity(bootstrapUrl);
+</script>
+
+<svelte:head>
+	<script src={bootstrapUrl} type="module" integrity={hash} crossorigin="anonymous"></script>
+</svelte:head>
+
+<p id="url">{bootstrapUrl}</p>
+<p id="hash">{hash ?? ''}</p>
diff --git a/packages/kit/test/apps/options/source/pages/integrity/bootstrap.js b/packages/kit/test/apps/options/source/pages/integrity/bootstrap.js
new file mode 100644
index 000000000000..85f60bd716b2
--- /dev/null
+++ b/packages/kit/test/apps/options/source/pages/integrity/bootstrap.js
@@ -0,0 +1 @@
+console.log('bootstrap');
diff --git a/packages/kit/test/apps/options/svelte.config.js b/packages/kit/test/apps/options/svelte.config.js
index 4852cc71596d..dc4f32cc4949 100644
--- a/packages/kit/test/apps/options/svelte.config.js
+++ b/packages/kit/test/apps/options/svelte.config.js
@@ -29,6 +29,10 @@ const config = {
 		output: {
 			preloadStrategy: 'preload-mjs'
 		},
+		subresourceIntegrity: 'sha384',
+		integrityPolicy: {
+			endpoints: ['other']
+		},
 		paths: {
 			base: '/path-base',
 			// @ts-expect-error our env var string can't match the https template literal
diff --git a/packages/kit/test/apps/options/test/test.js b/packages/kit/test/apps/options/test/test.js
index 87a6c02d7534..1fb9d222a3da 100644
--- a/packages/kit/test/apps/options/test/test.js
+++ b/packages/kit/test/apps/options/test/test.js
@@ -62,6 +62,95 @@ test.describe('CSP', () => {
 	});
 });
 
+test.describe('subresourceIntegrity and integrityPolicy', () => {
+	test.skip(() => !!process.env.DEV);
+
+	test('adds integrity attribute to script preloads', async ({ request }) => {
+		const response = await request.get('/path-base/inline-style');
+		const html = await response.text();
+
+		const link_tags = html.match(/<link[^>]+>/g) ?? [];
+		const script_links = link_tags.filter((tag) => tag.includes('as="script"'));
+
+		expect(script_links.length).toBeGreaterThan(0);
+
+		for (const tag of script_links) {
+			expect(tag).toMatch(/integrity="sha384-[A-Za-z0-9+/=]+"/);
+			expect(tag).toContain('crossorigin="anonymous"');
+		}
+	});
+
+	test('adds integrity attribute to stylesheet links', async ({ request }) => {
+		// /base has a CSS file (SvelteLogo) that exceeds inlineStyleThreshold,
+		// so it renders as a <link rel="stylesheet"> rather than being inlined
+		const response = await request.get('/path-base/base');
+		const html = await response.text();
+
+		const link_tags = html.match(/<link[^>]+>/g) ?? [];
+		const style_links = link_tags.filter(
+			(tag) => tag.includes('rel="stylesheet"') && !tag.includes('disabled')
+		);
+
+		expect(style_links.length).toBeGreaterThan(0);
+
+		for (const tag of style_links) {
+			expect(tag).toMatch(/integrity="sha384-[A-Za-z0-9+/=]+"/);
+			expect(tag).toContain('crossorigin="anonymous"');
+		}
+	});
+
+	test('entry script imports are covered by integrity preloads', async ({ request }) => {
+		const response = await request.get('/path-base/inline-style');
+		const html = await response.text();
+
+		// Extract URLs from integrity-protected preload links
+		const link_tags = html.match(/<link[^>]+>/g) ?? [];
+		const preloaded_urls = new Set(
+			link_tags
+				.filter((tag) => tag.includes('integrity='))
+				.map((tag) => tag.match(/href="([^"]+)"/)?.[1])
+				.filter(Boolean)
+		);
+
+		// Extract URLs from the inline boot script's import() calls
+		const script_match = html.match(/<script[^>]*>([\s\S]*?)<\/script>/);
+		expect(script_match).not.toBeNull();
+		const import_urls = [...script_match[1].matchAll(/import\("([^"]+)"\)/g)].map((m) => m[1]);
+		expect(import_urls.length).toBeGreaterThan(0);
+
+		// Every import() URL should have a corresponding integrity preload
+		for (const url of import_urls) {
+			expect(preloaded_urls).toContain(url);
+		}
+	});
+
+	test('$app/integrity returns hash for ?url imports', async ({ request }) => {
+		const response = await request.get('/path-base/integrity');
+		const html = await response.text();
+
+		// The page renders the hash from $app/integrity into #hash
+		const hash_match = html.match(/<p id="hash">([^<]+)<\/p>/);
+		expect(hash_match).not.toBeNull();
+		expect(hash_match[1]).toMatch(/^sha384-[A-Za-z0-9+/=]+$/);
+
+		// The page renders a <script> tag with integrity attribute
+		const script_match = html.match(/<script[^>]*src="([^"]+)"[^>]*integrity="([^"]+)"[^>]*>/);
+		expect(script_match).not.toBeNull();
+		expect(script_match[1]).toContain('bootstrap');
+		expect(script_match[2]).toMatch(/^sha384-[A-Za-z0-9+/=]+$/);
+
+		// The hash in the page text and the script tag should match
+		expect(script_match[2]).toBe(hash_match[1]);
+	});
+
+	test('sets integrity-policy response header', async ({ request }) => {
+		const response = await request.get('/path-base/inline-style');
+		const header = response.headers()['integrity-policy'];
+
+		expect(header).toBe('blocked-destinations=(script style),endpoints=(other)');
+	});
+});
+
 test.describe('Custom extensions', () => {
 	test('works with arbitrary extensions', async ({ page }) => {
 		await page.goto('/path-base/custom-extensions/');

From 811ac3f9d0b064c8f30503c49ceff14bdd9203a5 Mon Sep 17 00:00:00 2001
From: will Farrell <willfarrell@proton.me>
Date: Fri, 27 Feb 2026 10:15:26 -0700
Subject: [PATCH 4/6] revert: integrity-policy support

Signed-off-by: will Farrell <willfarrell@proton.me>
---
 packages/kit/src/core/config/index.spec.js      |  1 -
 packages/kit/src/core/config/options.js         |  4 ----
 packages/kit/src/core/sync/write_server.js      |  1 -
 packages/kit/src/exports/public.d.ts            | 10 ----------
 packages/kit/src/runtime/server/page/render.js  |  9 ---------
 packages/kit/src/types/internal.d.ts            |  1 -
 packages/kit/test/apps/options/svelte.config.js |  3 ---
 packages/kit/test/apps/options/test/test.js     |  8 +-------
 packages/kit/types/index.d.ts                   | 10 ----------
 9 files changed, 1 insertion(+), 46 deletions(-)

diff --git a/packages/kit/src/core/config/index.spec.js b/packages/kit/src/core/config/index.spec.js
index a9919e0be137..32642d2a66a3 100644
--- a/packages/kit/src/core/config/index.spec.js
+++ b/packages/kit/src/core/config/index.spec.js
@@ -100,7 +100,6 @@ const get_defaults = (prefix = '') => ({
 		},
 		inlineStyleThreshold: 0,
 		moduleExtensions: ['.js', '.ts'],
-		integrityPolicy: { endpoints: ['default'] },
 		output: {
 			preloadStrategy: 'modulepreload',
 			bundleStrategy: 'split'
diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
index 16e412e2637a..0edf7eae12f1 100644
--- a/packages/kit/src/core/config/options.js
+++ b/packages/kit/src/core/config/options.js
@@ -154,10 +154,6 @@ const options = object(
 
 			inlineStyleThreshold: number(0),
 
-			integrityPolicy: object({
-				endpoints: string_array(['default'])
-			}),
-
 			moduleExtensions: string_array(['.js', '.ts']),
 
 			outDir: string('.svelte-kit'),
diff --git a/packages/kit/src/core/sync/write_server.js b/packages/kit/src/core/sync/write_server.js
index f0b6e460b825..ea7d9dfe0c99 100644
--- a/packages/kit/src/core/sync/write_server.js
+++ b/packages/kit/src/core/sync/write_server.js
@@ -47,7 +47,6 @@ export const options = {
 	hash_routing: ${s(config.kit.router.type === 'hash')},
 	hooks: null, // added lazily, via \`get_hooks\`
 	preload_strategy: ${s(config.kit.output.preloadStrategy)},
-	integrity_policy_endpoints: ${s(config.kit.integrityPolicy.endpoints)},
 	root,
 	service_worker: ${has_service_worker},
 	service_worker_options: ${config.kit.serviceWorker.register ? s(config.kit.serviceWorker.options) : 'null'},
diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
index 59ba19b62771..4975fbce2ec1 100644
--- a/packages/kit/src/exports/public.d.ts
+++ b/packages/kit/src/exports/public.d.ts
@@ -597,16 +597,6 @@ export interface KitConfig {
 	 * @default 0
 	 */
 	inlineStyleThreshold?: number;
-	/**
-	 * Configuration for the [`Integrity-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy) response header, which is set when `subresourceIntegrity` is enabled.
-	 */
-	integrityPolicy?: {
-		/**
-		 * The reporting endpoints to include in the `Integrity-Policy` header.
-		 * @default ["default"]
-		 */
-		endpoints?: string[];
-	};
 	/**
 	 * An array of file extensions that SvelteKit will treat as modules. Files with extensions that match neither `config.extensions` nor `config.kit.moduleExtensions` will be ignored by the router.
 	 * @default [".js", ".ts"]
diff --git a/packages/kit/src/runtime/server/page/render.js b/packages/kit/src/runtime/server/page/render.js
index e364e98ea816..9a35b410c5c2 100644
--- a/packages/kit/src/runtime/server/page/render.js
+++ b/packages/kit/src/runtime/server/page/render.js
@@ -615,15 +615,6 @@ export async function render_response({
 		if (link_headers.size) {
 			headers.set('link', Array.from(link_headers).join(', '));
 		}
-
-		if (integrity_map) {
-			const destinations = 'script style';
-			const endpoints = options.integrity_policy_endpoints.join(' ');
-			headers.set(
-				'integrity-policy',
-				`blocked-destinations=(${destinations}),endpoints=(${endpoints})`
-			);
-		}
 	}
 
 	const html = options.templates.app({
diff --git a/packages/kit/src/types/internal.d.ts b/packages/kit/src/types/internal.d.ts
index 991b0ee21e81..6292e1c82ad9 100644
--- a/packages/kit/src/types/internal.d.ts
+++ b/packages/kit/src/types/internal.d.ts
@@ -480,7 +480,6 @@ export interface SSROptions {
 		}): string;
 		error(values: { message: string; status: number }): string;
 	};
-	integrity_policy_endpoints: string[];
 	version_hash: string;
 }
 
diff --git a/packages/kit/test/apps/options/svelte.config.js b/packages/kit/test/apps/options/svelte.config.js
index dc4f32cc4949..488da2dbeec4 100644
--- a/packages/kit/test/apps/options/svelte.config.js
+++ b/packages/kit/test/apps/options/svelte.config.js
@@ -30,9 +30,6 @@ const config = {
 			preloadStrategy: 'preload-mjs'
 		},
 		subresourceIntegrity: 'sha384',
-		integrityPolicy: {
-			endpoints: ['other']
-		},
 		paths: {
 			base: '/path-base',
 			// @ts-expect-error our env var string can't match the https template literal
diff --git a/packages/kit/test/apps/options/test/test.js b/packages/kit/test/apps/options/test/test.js
index 1fb9d222a3da..3158ec4dc9fa 100644
--- a/packages/kit/test/apps/options/test/test.js
+++ b/packages/kit/test/apps/options/test/test.js
@@ -62,7 +62,7 @@ test.describe('CSP', () => {
 	});
 });
 
-test.describe('subresourceIntegrity and integrityPolicy', () => {
+test.describe('subresourceIntegrity', () => {
 	test.skip(() => !!process.env.DEV);
 
 	test('adds integrity attribute to script preloads', async ({ request }) => {
@@ -143,12 +143,6 @@ test.describe('subresourceIntegrity and integrityPolicy', () => {
 		expect(script_match[2]).toBe(hash_match[1]);
 	});
 
-	test('sets integrity-policy response header', async ({ request }) => {
-		const response = await request.get('/path-base/inline-style');
-		const header = response.headers()['integrity-policy'];
-
-		expect(header).toBe('blocked-destinations=(script style),endpoints=(other)');
-	});
 });
 
 test.describe('Custom extensions', () => {
diff --git a/packages/kit/types/index.d.ts b/packages/kit/types/index.d.ts
index 3fd2fbb16332..65196026a67a 100644
--- a/packages/kit/types/index.d.ts
+++ b/packages/kit/types/index.d.ts
@@ -571,16 +571,6 @@ declare module '@sveltejs/kit' {
 		 * @default 0
 		 */
 		inlineStyleThreshold?: number;
-		/**
-		 * Configuration for the [`Integrity-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Integrity-Policy) response header, which is set when `subresourceIntegrity` is enabled.
-		 */
-		integrityPolicy?: {
-			/**
-			 * The reporting endpoints to include in the `Integrity-Policy` header.
-			 * @default ["default"]
-			 */
-			endpoints?: string[];
-		};
 		/**
 		 * An array of file extensions that SvelteKit will treat as modules. Files with extensions that match neither `config.extensions` nor `config.kit.moduleExtensions` will be ignored by the router.
 		 * @default [".js", ".ts"]

From 163df1a6f3a2e779c8f89eda8391f2db0a274aaa Mon Sep 17 00:00:00 2001
From: will Farrell <willfarrell@proton.me>
Date: Fri, 27 Feb 2026 10:19:06 -0700
Subject: [PATCH 5/6] chore: fix lint

Signed-off-by: will Farrell <willfarrell@proton.me>
---
 packages/kit/test/apps/options/test/test.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/kit/test/apps/options/test/test.js b/packages/kit/test/apps/options/test/test.js
index 3158ec4dc9fa..aa71d897401a 100644
--- a/packages/kit/test/apps/options/test/test.js
+++ b/packages/kit/test/apps/options/test/test.js
@@ -142,7 +142,6 @@ test.describe('subresourceIntegrity', () => {
 		// The hash in the page text and the script tag should match
 		expect(script_match[2]).toBe(hash_match[1]);
 	});
-
 });
 
 test.describe('Custom extensions', () => {

From 2c466569d7a40d085e9cac040c6604e62d0b7e15 Mon Sep 17 00:00:00 2001
From: will Farrell <willfarrell@proton.me>
Date: Fri, 27 Feb 2026 12:03:37 -0700
Subject: [PATCH 6/6] test: add in test to validate hash

Signed-off-by: will Farrell <willfarrell@proton.me>
---
 packages/kit/src/exports/vite/index.js      |  5 ++--
 packages/kit/test/apps/options/test/test.js | 30 +++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/packages/kit/src/exports/vite/index.js b/packages/kit/src/exports/vite/index.js
index 8d995cba8ec0..3e03e3fc0b89 100644
--- a/packages/kit/src/exports/vite/index.js
+++ b/packages/kit/src/exports/vite/index.js
@@ -1270,7 +1270,8 @@ async function kit({ svelte_config }) {
 					}
 				}
 
-				// Compute SRI integrity hashes
+				// Compute SRI integrity hashes from the files on disk, to ensure
+				// the hash matches the content the browser will actually receive
 				if (build_data.client && svelte_config.kit.subresourceIntegrity) {
 					const algorithm = svelte_config.kit.subresourceIntegrity;
 					/** @type {Record<string, string>} */
@@ -1279,7 +1280,7 @@ async function kit({ svelte_config }) {
 					for (const chunk of /** @type {import('vite').Rollup.OutputBundle[string][]} */ (
 						client_chunks
 					)) {
-						const content = chunk.type === 'chunk' ? chunk.code : chunk.source;
+						const content = fs.readFileSync(`${out}/client/${chunk.fileName}`);
 						const hash = createHash(algorithm).update(content).digest('base64');
 						integrity[chunk.fileName] = `${algorithm}-${hash}`;
 					}
diff --git a/packages/kit/test/apps/options/test/test.js b/packages/kit/test/apps/options/test/test.js
index aa71d897401a..99f5af5619d3 100644
--- a/packages/kit/test/apps/options/test/test.js
+++ b/packages/kit/test/apps/options/test/test.js
@@ -1,3 +1,4 @@
+import { createHash } from 'node:crypto';
 import * as http from 'node:http';
 import process from 'node:process';
 import { expect } from '@playwright/test';
@@ -124,6 +125,35 @@ test.describe('subresourceIntegrity', () => {
 		}
 	});
 
+	test('integrity hashes match actual file content', async ({ request }) => {
+		const response = await request.get('/path-base/inline-style');
+		const html = await response.text();
+
+		const link_tags = html.match(/<link[^>]+>/g) ?? [];
+		const links_with_integrity = link_tags
+			.filter((tag) => tag.includes('integrity='))
+			.map((tag) => {
+				const href = tag.match(/href="([^"]+)"/)?.[1];
+				const integrity = tag.match(/integrity="([^"]+)"/)?.[1];
+				return { href, integrity };
+			})
+			.filter((l) => l.href && l.integrity);
+
+		expect(links_with_integrity.length).toBeGreaterThan(0);
+
+		for (const { href, integrity } of links_with_integrity) {
+			// Resolve the relative href against the response URL to get a correct absolute path
+			const resolved = new URL(href, response.url()).pathname;
+			const res = await request.get(resolved);
+			expect(res.status(), `failed to fetch ${resolved}`).toBe(200);
+			const body = Buffer.from(await res.body());
+			const [algo, expected_hash] = integrity.split('-', 2);
+			const actual_hash = createHash(algo).update(body).digest('base64');
+
+			expect(actual_hash, `integrity mismatch for ${resolved}`).toBe(expected_hash);
+		}
+	});
+
 	test('$app/integrity returns hash for ?url imports', async ({ request }) => {
 		const response = await request.get('/path-base/integrity');
 		const html = await response.text();