We're in the process of implementing Subresource Integrity (SRI) across our website to meet security compliance requirements. As part of this, we need to add integrity hashes to all externally loaded scripts and stylesheets.
Why it matters / Risks:
Without SRI, if your CDN were ever compromised or the asset URL silently updated, a malicious script could execute on our site with no warning to us or our users.
Almost all modern JavaScript libraries support versioning and integrity-hash support. It seems to be missing in Calendly.
Could you please confirm:
1. Whether you provide a versioned, stable URL for this asset (so the file content won't change unexpectedly)?
2. Whether you publish an official SHA-384 (or SHA-256) integrity hash we can use in our integrity attribute?
3. If not, do you have a recommended approach for customers who need SRI compliance?
This is a security requirement flagged in our infrastructure audit, so any guidance you can provide would be greatly appreciated.
