Frequent web supply-chain attacks stem primarily from the lack of lightweight, generic, and efficient resource integrity verification mechanisms. This paper proposes LiMS—a lightweight, transparent Link Integrity Management System—that enforces resource integrity properties declaratively and compositionally at the browser level, without requiring modifications to existing infrastructure. LiMS integrates cryptographic hash validation with declarative, modular policy configuration files to achieve end-to-end integrity verification with minimal runtime overhead. Evaluation across 450 representative domains shows that LiMS incurs only hundreds of milliseconds of additional first-contentful-paint latency, negligible reload overhead, and extremely low policy maintenance cost. Its core contribution lies in the first integration of modular integrity policy design with a lightweight execution engine, delivering strong security guarantees against known supply-chain attacks at minimal deployment cost.

The web continues to grow, but dependency-monitoring tools and standards for resource integrity lag behind. Currently, there exists no robust method to verify the integrity of web resources, much less in a generalizable yet performant manner, and supply chains remain one of the most targeted parts of the attack surface of web applications. In this paper, we present the design of LiMS, a transparent system to bootstrap link integrity guarantees in web browsing sessions with minimal overhead. At its core, LiMS uses a set of customizable integrity policies to declare the (un)expected properties of resources, verifies these policies, and enforces them for website visitors. We discuss how basic integrity policies can serve as building blocks for a comprehensive set of integrity policies, while providing guarantees that would be sufficient to defend against recent supply chain attacks detailed by security industry reports. Finally, we evaluate our open-sourced prototype by simulating deployments on a representative sample of 450 domains that are diverse in ranking and category. We find that our proposal offers the ability to bootstrap marked security improvements with an overall overhead of hundreds of milliseconds on initial page loads, and negligible overhead on reloads, regardless of network speeds. In addition, from examining archived data for the sample sites, we find that several of the proposed policy building blocks suit their dependency usage patterns, and would incur minimal administrative overhead.