Web applications have become increasingly popular, as they are convenient for many computing tasks and are accessible from any device with a web browser. Although existing web security mechanisms such as TLS, CSP and SRI protect against a variety of threats, web applications are still vulnerable to insider attacks in which a malicious hosting server delivers an altered version of the application. This threat is particularly critical for web applications that employ trusted execution environments (TEE), as a lack of verifiability of the application’s code undermines the confidentiality guarantees provided by TEE. To ensure that sensitive data is sent to an authentic TEE, such web applications rely on browser extensions to perform critical operations such as attestation and communication, as they are isolated from the web application and thereby shielded from tampering. However, this is not a scalable approach as it is infeasible for users to install application-specific browser extensions for every TEE-enabled web application. In this work, we present a scalable method for trustworthy delivery and user-verifiable attestation for web applications that use TEEs to provide privacy guarantees for user input. To evaluate a proof-of-concept of our method, we implemented a web application that uses a TEE-based password authentication service called SafeKeeper. We then extended Meta’s Code Verify browser extension to validate the integrity of our web application’s code, which includes TEE-specific operations, thereby eliminating the need for a separate application-specific browser extension. This method ensures both the integrity of the delivered application and the confidentiality of user input, offering a unified and scalable solution for the trustworthy delivery of web applications that use TEEs.