diff --git a/fern/products/docs/pages/changelog/2026-07-15.mdx b/fern/products/docs/pages/changelog/2026-07-15.mdx
new file mode 100644
index 000000000..9a962b0fa
--- /dev/null
+++ b/fern/products/docs/pages/changelog/2026-07-15.mdx
@@ -0,0 +1,14 @@
+## Opt remote scripts out of SRI
+
+customization, docs.yml, security
+
+Fern adds a Subresource Integrity (SRI) `integrity` attribute to remote `js` scripts by default. You can now disable SRI on a specific remote script without turning it off globally. Disable it for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block.
+
+```yaml title="docs.yml"
+js:
+ - url: https://cdn.example.com/a.js
+ disable-sri: true # rendered without an integrity attribute
+ - url: https://cdn.example.com/b.js # still gets SRI (default)
+```
+
+
diff --git a/fern/products/docs/pages/customization/custom-css-js.mdx b/fern/products/docs/pages/customization/custom-css-js.mdx
index d770ce353..1b9f1ef66 100644
--- a/fern/products/docs/pages/customization/custom-css-js.mdx
+++ b/fern/products/docs/pages/customization/custom-css-js.mdx
@@ -399,21 +399,30 @@ js:
-We use `path` for local sources and `url` for remote sources.
+Use `path` for local sources and `url` for remote sources. Remote scripts get [Subresource Integrity](#properties) protection by default.
-### Strategy
-
-Optionally, specify the strategy for each custom JavaScript file. Choose from `beforeInteractive`, `afterInteractive` (default), and `lazyOnload`.
+### Properties
```yaml
js:
- path: path/to/another/js/file.js
strategy: beforeInteractive
+ - url: https://cdn.example.com/a.js
+ disable-sri: true # rendered without an integrity attribute
+ - url: https://cdn.example.com/b.js # still gets SRI (default)
```
+
+ When the script loads.
+
+
+
+ Opts a remote script out of [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity). By default, Fern adds an `integrity` attribute (and `crossorigin`) to remote scripts, so the browser only runs a script whose content matches the expected hash. Set to `true` for scripts that update in place, such as auto-updating or CDN-rolled scripts, which SRI would otherwise block.
+
+
### Common use cases
- **Third-party integrations:** For tools not natively supported in `docs.yml`, add analytics, session recording, support widgets, or tag managers by pasting their embed snippets into your custom JS file. See [Integrating third-party tools](/learn/docs/integrations/overview#connect-other-integrations-via-custom-javascript) for supported tools and examples.