mediumSecurity & Infrastructure

Subresource Integrity (SRI)

When you load JavaScript from external CDNs without Subresource Integrity (SRI), a compromised CDN can serve malicious code to every visitor on your site. SaaSalyst checks all external script tags for integrity attributes, identifying supply chain attack vectors.

What SaaSalyst Checks

SaaSalyst identifies all <script> tags loading from external domains (different registered domain from your site) and checks whether each has an integrity attribute with a cryptographic hash. Scripts from subdomains of your own domain (e.g., cdn.yoursite.com) are correctly excluded.

Why This Matters

Supply chain attacks through compromised CDNs are a growing threat. The Polyfill.io incident in 2024 affected over 100,000 websites when the CDN domain was acquired and began serving malicious code. SRI prevents this by telling browsers to reject scripts whose content doesn't match a pre-declared hash.

OWASP classifies this under A06:2021 (Vulnerable and Outdated Components). For SaaS products, a supply chain compromise can expose customer data, inject credential-stealing code, or deface your application.

Modern bundlers and CDN providers make SRI implementation straightforward — cdnjs, jsDelivr, and unpkg all provide integrity hashes for hosted packages.

How to Fix It

Add integrity and crossorigin attributes to all external script tags: <script src='https://cdn.example.com/lib.js' integrity='sha384-...' crossorigin='anonymous'></script>
Generate SRI hashes using: shasum -b -a 384 file.js | awk '{ print $1 }' | xxd -r -p | base64
Use CDN providers that supply integrity hashes (cdnjs, jsDelivr, unpkg all include them in their URLs).
Consider self-hosting critical third-party scripts to eliminate CDN dependency entirely.
Automate SRI hash generation in your build pipeline — webpack-subresource-integrity and similar plugins handle this.

Frequently Asked Questions

How does SaaSalyst check for SRI?

SaaSalyst scans all script tags with external src URLs (different registered domain from your site) and checks for the presence of an integrity attribute. Scripts from your own subdomains are excluded since they are under your control.

Does SRI work with dynamically loaded scripts?

SaaSalyst checks scripts present in the HTML source. Dynamically injected scripts (loaded via JavaScript) are not visible to the scanner. For those, implement SRI in your script loader code or use Content-Security-Policy require-sri-for directive.

Check Your SaaS Now — Free

SaaSalyst scans your website in 30 seconds and checks for Subresource Integrity (SRI) along with 78+ other business readiness signals.

Scan Your App