Seoxpert.io
Get started
lowSecurity

HTTPS Cross-Origin Scripts Missing Subresource Integrity (SRI)

HTTPS cross-origin scripts are loaded without Subresource Integrity (SRI), exposing users to supply-chain attacks.

By Seoxpert Editorial · Published

Why it matters

Without SRI, browsers cannot verify that third-party scripts from CDNs are unaltered, leaving users vulnerable to malicious code if the CDN is compromised. This undermines site security and user trust, and can lead to search engines flagging your site for unsafe content.

Impact

Leaving this unresolved exposes users to potential supply-chain attacks via compromised third-party scripts.

How it's detected

Automated crawlers scan for <script> tags with HTTPS cross-origin src attributes lacking an integrity attribute.

Common causes

  • Including third-party scripts from CDNs without adding an integrity attribute.
  • Lack of awareness about SRI requirements for external scripts.
  • Build tools or deployment processes not configured to generate SRI hashes.
  • Copy-pasting script tags from documentation or CDN sites that omit SRI.

How to fix it

For each cross-origin <script> tag, generate a cryptographic hash of the script file and add it as the integrity attribute, along with crossorigin="anonymous". Use tools like openssl to generate the hash, or automate the process with build plugins such as webpack-subresource-integrity or vite-plugin-sri. Always update the hash when the script version changes.

Code examples

Problem: Script without SRI

<script src="https://cdn.jsdelivr.net/npm/@supabase/supabase-js@2"></script>

Fix: Script with SRI and crossorigin

<script src="https://cdn.jsdelivr.net/npm/@supabase/supabase-js@2"
        integrity="sha384-abc123..." crossorigin="anonymous"></script>

FAQ

What is Subresource Integrity (SRI) and why is it needed for CDN scripts?

SRI ensures that browsers verify third-party scripts have not been tampered with by checking a cryptographic hash, protecting against supply-chain attacks.

How do I generate an SRI hash for a script?

Download the script and run: openssl dgst -sha384 -binary lib.js | openssl base64 -A, then add the result to the integrity attribute.

Do I need to update the SRI hash if the script version changes?

Yes, any change to the script file requires generating a new hash and updating the integrity attribute.

Can I automate adding SRI to scripts?

Yes, most modern build tools have plugins (e.g., webpack-subresource-integrity, vite-plugin-sri) that automate SRI hash generation and injection.

Found this issue on your site?

Run a scan to see if HTTPS Cross-Origin Scripts Missing Subresource Integrity (SRI) affects your pages.

Scan my website →