SRI01 Missing Subresource Integrity

What this means

SiteShadow flagged external <script> / <link> assets (typically from CDNs) that are included without Subresource Integrity (SRI) hashes.

Why it matters

Without SRI, compromised CDN assets can execute malicious code in your app.

• Supply-chain exposure: if a CDN asset is modified, every visitor can be affected.
• Hard to detect: the browser will happily run modified assets unless integrity is enforced.

Safer examples

1) Add SRI + crossorigin for CDN assets

<script
  src="https://cdn.example.com/lib.min.js"
  integrity="sha384-BASE64_HASH_HERE"
  crossorigin="anonymous"
></script>

2) Self-host critical assets

If you can't reliably manage SRI, bundling/self-hosting reduces external dependency risk.

3) Pin versions (don't use "latest")

Pin CDN URLs to exact versions so the content is predictable.

How SiteShadow detects it (high level)

• Scans HTML/templates for external scripts/styles and checks for missing integrity=....
• Prioritizes executable JavaScript assets as higher risk than styles.

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library