diff --git a/.github/renovate.json b/.github/renovate.json
index b5c43cc1d39..1ac226f69cb 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -161,7 +161,8 @@
         "webpack",
         "webpack-cli",
         "webpack-dev-server",
-        "webpack-node-externals"
+        "webpack-node-externals",
+        "webpack-subresource-integrity"
       ],
       "description": "Platform owned dependencies",
       "commitMessagePrefix": "[deps] Platform:",
diff --git a/apps/web/webpack.config.js b/apps/web/webpack.config.js
index 9373308c112..219ba3f8027 100644
--- a/apps/web/webpack.config.js
+++ b/apps/web/webpack.config.js
@@ -7,6 +7,7 @@ const HtmlWebpackInjector = require("html-webpack-injector");
 const HtmlWebpackPlugin = require("html-webpack-plugin");
 const MiniCssExtractPlugin = require("mini-css-extract-plugin");
 const TerserPlugin = require("terser-webpack-plugin");
+const { SubresourceIntegrityPlugin } = require("webpack-subresource-integrity");
 const webpack = require("webpack");
 
 const config = require("./config.js");
@@ -85,6 +86,13 @@ const moduleRules = [
 ];
 
 const plugins = [
+  new SubresourceIntegrityPlugin({
+    // Only enable SRI in production, otherwise it might break hot reloading.
+    // If for some reason you need to enable it in development, make sure to also set
+    // optimization.realContentHash to true in the webpack config.
+    enabled: NODE_ENV === "production",
+    hashFuncNames: ["sha512"],
+  }),
   new HtmlWebpackPlugin({
     template: "./src/index.html",
     filename: "index.html",
@@ -382,6 +390,7 @@ const webpackConfig = {
     filename: "[name].[contenthash].js",
     path: path.resolve(__dirname, "build"),
     clean: true,
+    crossOriginLoading: "anonymous",
   },
   module: {
     noParse: /argon2(-simd)?\.wasm$/,
diff --git a/package-lock.json b/package-lock.json
index 9095b269fb9..76c8e5a8684 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -72,6 +72,7 @@
         "tabbable": "6.2.0",
         "tldts": "6.1.74",
         "utf-8-validate": "6.0.5",
+        "webpack-subresource-integrity": "^5.1.0",
         "zone.js": "0.14.10",
         "zxcvbn": "4.4.2"
       },
diff --git a/package.json b/package.json
index 895f1d844c9..1a3082aa0f4 100644
--- a/package.json
+++ b/package.json
@@ -203,6 +203,7 @@
     "tabbable": "6.2.0",
     "tldts": "6.1.74",
     "utf-8-validate": "6.0.5",
+    "webpack-subresource-integrity": "^5.1.0",
     "zone.js": "0.14.10",
     "zxcvbn": "4.4.2"
   },