Document SRI feature in the README.md file

Author: rafaelfranca

README.md

@@ -16,7 +16,7 @@ With Rails 8, Propshaft is the default asset pipeline for new applications. With
 
 ## Usage
 
-Propshaft makes all the assets from all the paths it's been configured with through `config.assets.paths` available for serving and will copy all of them into `public/assets` when precompiling. This is unlike Sprockets, which did not copy over assets that hadn't been explicitly included in one of the bundled assets. 
+Propshaft makes all the assets from all the paths it's been configured with through `config.assets.paths` available for serving and will copy all of them into `public/assets` when precompiling. This is unlike Sprockets, which did not copy over assets that hadn't been explicitly included in one of the bundled assets.
 
 You can however exempt directories that have been added through the `config.assets.excluded_paths`. This is useful if you're for example using `app/assets/stylesheets` exclusively as a set of inputs to a compiler like Dart Sass for Rails, and you don't want these input files to be part of the load path. (Remember you need to add full paths, like `Rails.root.join("app/assets/stylesheets")`).
 
@@ -50,9 +50,55 @@ export default class extends Controller {
 
 If you need to put multiple files that refer to each other through Propshaft, like a JavaScript file and its source map, you have to digest these files in advance to retain stable file names. Propshaft looks for the specific pattern of `-[digest].digested.js` as the postfix to any asset file as an indication that the file has already been digested.
 
+## Subresource Integrity (SRI)
+
+Propshaft supports Subresource Integrity (SRI) to help protect against malicious modifications of assets. SRI allows browsers to verify that resources fetched from CDNs or other sources haven't been tampered with by checking cryptographic hashes.
+
+### Enabling SRI
+
+To enable SRI support, configure the hash algorithm in your Rails application:
+
+```ruby
+config.assets.integrity_hash_algorithm = "sha384"
+```
+
+Valid hash algorithms include:
+- `"sha256"` - SHA-256 (most common)
+- `"sha384"` - SHA-384 (recommended for enhanced security)
+- `"sha512"` - SHA-512 (strongest)
+
+### Using SRI in your views
+
+Once configured, you can enable SRI by passing the `integrity: true` option to asset helpers:
+
+```erb
+<%= stylesheet_link_tag "application", integrity: true %>
+<%= javascript_include_tag "application", integrity: true %>
+```
+
+This generates HTML with integrity hashes:
+
+```html
+<link rel="stylesheet" href="/assets/application-abc123.css"
+      integrity="sha384-xyz789...">
+<script src="/assets/application-def456.js"
+        integrity="sha384-uvw012..."></script>
+```
+
+**Important**: SRI only works in secure contexts (HTTPS) or during local development. The integrity hashes are automatically omitted when serving over HTTP in production for security reasons.
+
+### Bulk stylesheet inclusion with SRI
+
+Propshaft extends `stylesheet_link_tag` with special symbols for bulk inclusion:
+
+```erb
+<%= stylesheet_link_tag :all, integrity: true %>  <!-- All stylesheets -->
+<%= stylesheet_link_tag :app, integrity: true %>  <!-- Only app/assets stylesheets -->
+```
+
 ## Improving performance in development
 
-Before every request Propshaft checks if any asset was updated to decide if a cache sweep is needed. This verification is done using the application's configured file watcher which, by default, is `ActiveSupport::FileUpdateChecker`. 
+Before every request Propshaft checks if any asset was updated to decide if a cache sweep is needed. This verification is done using the application's configured file watcher which, by default, is `ActiveSupport::FileUpdateChecker`.
 
 If you have a lot of assets in your project, you can improve performance by adding the `listen` gem to the development group in your Gemfile, and this line to the `development.rb` environment file: