Cloudflare's WAICT Shields Web Apps From Code Tampering

JavaScript powers the modern web, driving everything from encrypted messaging platforms like Signal to cryptocurrency wallets. But its flexibility comes with a glaring flaw: code delivered to your browser can be tampered with, exposing sensitive data like encryption keys or financial assets. A single malicious tweak can unravel the security of even the most robust encryption. Cloudflare's Web Application Integrity, Consistency, and Transparency (WAICT) proposal, unveiled in October 2025, aims to fix this by bringing app store-like security to web applications without a central gatekeeper.

The problem isn't new. Since 2011, experts have flagged JavaScript cryptography as risky due to code distribution vulnerabilities. Unlike smartphone apps, which benefit from app store oversight, web apps lack mechanisms to ensure the code you receive is authentic. WAICT introduces a decentralized system to verify code integrity, ensuring platforms like WhatsApp Web or online voting systems remain untampered. It's a bold step toward making the web a safer place for sensitive applications.

At its core, WAICT relies on an integrity manifest, a cryptographic blueprint that maps out every asset a website serves, from scripts to images, using SHA-256 hashes. When you load a site, your browser checks these hashes to confirm nothing has been altered. This setup extends Subresource Integrity, a browser feature already supported by Chrome and Firefox, to cover entire web applications. Sites also connect to transparency services, which maintain public logs of these manifests, letting anyone verify code authenticity.

WAICT doesn't stop at integrity. It ensures consistency, so all users get the same code version, and transparency, creating a public audit trail. Multiple independent services, backed by cryptographic witnesses, verify these logs, preventing any single entity from controlling the system. This design draws inspiration from Certificate Transparency, which has protected TLS connections since 2013. By integrating the WEBCAT protocol from the Freedom of the Press Foundation, WAICT also supports developer code signing, adding another layer of trust.

The urgency of WAICT became clear following a major npm supply chain attack that compromised packages like chalk and debug-js, affecting billions of weekly downloads. Using phishing to hijack maintainer accounts, attackers injected malware that siphoned cryptocurrency by manipulating web APIs. Nearly 500 packages were compromised before the attack was contained, highlighting the web's vulnerability to supply chain attacks. WAICT's transparency logs and integrity checks could have caught these changes, alerting users and developers to tampered code.

Contrast this with WhatsApp's 2022 Code Verify project, developed with Cloudflare. This system enabled verification of WhatsApp Web's code against a committed reference version, detecting tampering attempts. While effective, it required manual installation and only protected one app. WAICT builds on this by embedding verification into browsers, covering all enrolled sites. These cases show the stakes: without systemic protections, web apps remain easy targets, but targeted solutions prove the concept works.

WAICT's decentralized approach offers clear benefits for high-stakes applications. Signal and ProtonMail could deliver web versions with security rivaling their native apps, while cryptocurrency wallets could reduce theft risks. Online voting platforms, where code integrity is critical, stand to gain from public audit trails. By avoiding centralized control, WAICT sidesteps censorship risks, making secure communication accessible even on locked-down devices.

Still, hurdles remain. Generating manifests demands effort from site operators, especially smaller teams managing dynamic content. Public logs might expose application structures some developers prefer to keep private. Browser verification adds slight performance overhead, a concern for low-powered devices. Adoption also faces a chicken-and-egg problem: transparency services need sites to enroll, but sites won't join without robust infrastructure. Browser vendors like Safari and Edge must align on standards, a process that is expected to unfold through 2025 and 2026 as the specification is refined.

WAICT's vision extends beyond fixing today's flaws. By enabling secure web-based encryption, it could empower users in regions where app stores are censored or devices can't run native apps. Journalists using tools like SecureDrop could trust their code hasn't been backdoored. Smaller developers, though, need better tools to ease adoption, as managing manifests requires technical know-how. Cloud providers like Amazon Web Services could offer transparency services, but governance must ensure no single player dominates.

The road ahead involves collaboration. Browser vendors, cloud providers, and developers must refine WAICT through W3C and IETF standards. Early betas, expected soon, will test its real-world feasibility. If successful, WAICT could redefine web security, making tampering a relic of the past. For now, it's a promising step toward a web where trust is built in, not assumed.