Skip to main content

Missing SRI.

Security Client-Side Security

Without Subresource Integrity, compromised CDNs can inject malicious scripts

What does this check test?

Subresource Integrity (SRI) is a browser security feature that allows you to verify that files loaded from third-party CDNs or external origins have not been tampered with. By adding an `integrity` attribute containing a cryptographic hash to `<script>` and `<link>` tags, the browser will compare the downloaded file against the hash and refuse to execute it if there is a mismatch. This check identifies external scripts and stylesheets that are missing SRI hashes.

Why does it matter?

When you load JavaScript from a CDN (e.g., `cdn.jsdelivr.net`, `cdnjs.cloudflare.com`, `unpkg.com`), you are trusting that CDN to serve unmodified files. If the CDN is compromised, an attacker can replace the legitimate file with malicious code that runs on every site loading from that CDN. This has happened in real-world attacks — the Polyfill.io supply chain attack in 2024 affected over 100,000 websites. SRI provides a cryptographic guarantee that the file has not been modified, even if the CDN is compromised.

Who is affected?

Any site that loads JavaScript or CSS from external domains (CDNs, third-party services, shared hosting) should use SRI. This is especially important for high-traffic sites where a supply chain attack would have maximum impact. Sites that bundle all their assets from their own origin are not affected, but any external `<script>` or `<link>` tag should have an `integrity` attribute. SRI is particularly critical for payment forms, authentication pages, and admin interfaces.

Where does this apply?

Inspect all `<script>` and `<link>` tags in your HTML that load resources from external origins (any domain other than your own). Check for the presence of the `integrity` attribute. Browser DevTools' Elements panel or Network tab can help identify external resources. CSP can also enforce SRI via the `require-sri-for` directive (though browser support is limited).

How to fix it

Add `integrity` and `crossorigin` attributes to external resources:
html 
<script src="https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js"
        integrity="sha256-qXBd/EfAdjOA2FGrGAG+b3YBn2tn5A6bhz+LSgYD96k="
        crossorigin="anonymous"></script>

<link rel="stylesheet"
      href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css"
      integrity="sha384-9ndCyUaIbzAi2FUVXJi0CjmCapSmO7SnpJef0486qhLnuZ2cdeRhO02iuK6FUUVM"
      crossorigin="anonymous">
Generate SRI hashes using:
bash 
cat script.js | openssl dgst -sha384 -binary | openssl base64 -A
# Or use srihash.org
The `crossorigin="anonymous"` attribute is required for SRI to work with CORS. If the hash does not match, the browser will block the resource and log an error to the console.

References

AppVet checks Missing SRI automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks