Security Test: Configuration_SubresourceIntegrityMissing¶

Description¶

Default Severity:

Not including an SRI attribute when pulling in external scripts means you have no way to verify those resources haven't been tampered with. If an attacker alters an external script, they can inject malicious code that runs alongside your site’s content, potentially stealing data or compromising users. Developers sometimes skip SRI because they assume trusted sources are always secure, which leaves room for attack if that trust is broken. This shortfall can lead to significant security risks if not addressed.

Reference:

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
- https://owasp.org/www-community/controls/Subresource_Integrity

Configuration¶

Identifier: configuration/subresource_integrity_missing

Examples¶

All configuration available:

checks:
  configuration/subresource_integrity_missing:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM04:2023
PCI DSS	`6.5.5`
GDPR	`Article-32`
SOC2	`CC7`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`SI-11`
CWE	`354`
CVSS Vector	`AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N`
CVSS Score	`7.5`