Seoxpert.io
Get started
lowSecurity

Cross-Origin Scripts Missing Subresource Integrity (SRI)

One or more external scripts are loaded without a Subresource Integrity (SRI) hash, exposing users to supply-chain attacks.

By Seoxpert Editorial · Published

Why it matters

Without SRI, browsers cannot verify the integrity of third-party scripts, leaving users vulnerable if a CDN is compromised. This can lead to security breaches, loss of user trust, and potential SEO penalties if malicious code is injected. Implementing SRI is a simple, effective way to protect your site and users.

Impact

Leaving this unresolved exposes your site and users to supply-chain attacks via compromised third-party scripts.

How it's detected

Automated crawlers scan for <script> tags with cross-origin URLs missing the 'integrity' attribute.

Common causes

  • Including third-party scripts from CDNs without adding an integrity attribute.
  • Using build tools or CMSes that do not automatically generate SRI hashes.
  • Frequently changing or versionless script URLs, making SRI maintenance difficult.
  • Lack of awareness about SRI and its importance for security.

How to fix it

For each external <script> tag, generate a cryptographic hash of the script file and add it as the 'integrity' attribute, along with 'crossorigin="anonymous"'. Use tools like 'openssl' or build tool plugins to automate this. For scripts that update often, consider using versioned URLs or automating hash updates.

Code examples

Problem: Script without SRI

<script src="https://cdn.example.com/lib.js"></script>

Fix: Script with SRI and crossorigin

<script src="https://cdn.example.com/lib.js" integrity="sha384-BASE64HASH" crossorigin="anonymous"></script>

FAQ

What is Subresource Integrity (SRI) and why is it important for external scripts?

SRI allows browsers to verify that a fetched script matches a known hash, protecting against compromised third-party resources.

How do I generate an SRI hash for a script?

Download the script and run 'openssl dgst -sha384 -binary lib.js | openssl base64 -A' to get the hash, then add it to the 'integrity' attribute.

Do I need to update the SRI hash if the script changes?

Yes, any change to the script requires regenerating and updating the SRI hash.

Can I use SRI with scripts that update frequently, like analytics?

You can, but you'll need to update the hash with every script change or use versioned URLs to manage updates.

Will missing SRI affect my SEO rankings?

While not a direct SEO ranking factor, compromised scripts can harm user security and trust, indirectly impacting SEO.

Found this issue on your site?

Run a scan to see if Cross-Origin Scripts Missing Subresource Integrity (SRI) affects your pages.

Scan my website →