Issue type: Unsafe Implementation Of Subresource Integrity
Key: unsafe_sri_v2
Severity: High
Factor: Application Security
Subresource Integrity (SRI) is a security feature that ensures externally loaded resources, such as scripts, stylesheets, and fonts, have not been tampered with. It works by allowing developers to specify a cryptographic hash of the expected content. When the browser fetches the resource, it verifies the hash before executing it.
If the hash is missing, incorrect, or mismatched, the browser cannot verify the resource's integrity, leaving the application vulnerable to supply chain attacks and malicious script injection.
Why does SecurityScorecard flag this issue?
Without SRI:
- External resources can be modified without detection.
- Attackers may inject malicious code via compromised CDNs or third-party scripts.
- This can lead to cross-site scripting (XSS), data exfiltration, and other security breaches.
Detection criteria
This issue is flagged when external resources are loaded without an integrity attribute.
How to test
To validate this issue outside the SecurityScorecard platform, you can manually inspect whether external resources (such as JavaScript or CSS files) are loaded without an integrity attribute. This attribute ensures that the resource has not been tampered with and that it matches a known cryptographic hash.
Using browser developer tools
- Open the target website in a browser (such as Chrome or Firefox).
- Right-click anywhere on the page and select Inspect to open Developer Tools.
- Go to the Elements tab and look for
<script>or<link>tags that load resources from third-party domains (such as CDNs). - Check whether these tags include the
integrityattribute.
Unsafe:
<script src="https://cdn.example.com/lib.js"></script>Safe:
<script src="https://cdn.example.com/lib.js" integrity="sha384-abc123..." crossorigin="anonymous"></script>Alternatively, you can inspect the page source with the following command and review the output for any third-party scripts missing the integrity attribute.
curl -s https://example.com | grep "<script"What to look for
- External resources loaded from third-party domains.
- Absence of the
integrityattribute. - Missing
crossorigin="anonymous"when required.
How to mitigate
-
Identify external resources: review all
<script>and<link>tags that load assets from third-party domains. - Generate valid hashes: use a tool such as the SRI Hash Generator (srihash.org) to create SHA-256, SHA-384, or SHA-512 hashes of the resource content.
-
Update the HTML tags: add the
integrityandcrossorigin="anonymous"attributes.<script src="https://cdn.example.com/lib.js" integrity="sha384-abc123..." crossorigin="anonymous"></script>
Note: Implementing CSP will not resolve this SecurityScorecard finding. Only adding
integrityattributes or self-hosting the resource will close it."
Severity and scoring
This issue contributes to the Application Security factor score. As of the October 21, 2025 recalibration, its breach risk level is rated High, reflecting the increasing threat of supply chain attacks and the importance of resource integrity in modern web applications.
Best practices
- Always use SRI for static third-party resources.
- Host critical scripts locally when feasible.
- Regularly audit external dependencies.
- Monitor for changes in third-party content and update hashes accordingly.
Resources that can't support SRI (such as Google Fonts)
Google Fonts does not support SRI, even though SRI is a requested security best practice. Further information on this feature is available on the Google Fonts issue tracker.
SecurityScorecard recognizes that many common scripts from large, generally trusted organizations do not support SRI. As of the March 2026 update, we filter out scripts from the following sources, so they no longer trigger this issue: Google Tag Manager, Adobe Tag Manager, and Google Fonts APIs. If you have a script from one of these providers that you feel should be filtered out, please provide your feedback to our Support team.
Remediation options in SecurityScorecard
For information on how to remediate this issue, see Address issue findings in your Scorecard.