Skip to content

Security Test: Configuration_SubresourceIntegrityMissing

Description

Default Severity:

A missing Subresource Integrity (SRI) attribute allows attackers to tamper with external scripts, potentially injecting malicious code.

Reference:

Configuration

Identifier: configuration/subresource_integrity_missing

Examples

All configuration available:

checks:
  configuration/subresource_integrity_missing:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 A08:2021
OWASP LLM Top 10 LLM04:2023
PCI DSS 6.5.5
GDPR Article-32
SOC2 CC7
PSD2 Article-95
ISO 27001 A.14.2
NIST SP800-53
FedRAMP SI-11
CWE 354
CVSS Vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Score 7.5

Remediation

Implement Subresource Integrity (SRI) by adding the integrity attribute to externally loaded scripts and stylesheets. Ensure that the integrity value is computed using a cryptographic hash function such as SHA-256, SHA-384, or SHA-512. Additionally, use the crossorigin attribute to prevent credentials from being sent with the request, enhancing security.

Frontend Specific

React Ensure that all externally loaded scripts in React applications use the `integrity` attribute with a valid cryptographic hash and set `crossorigin="anonymous"` when needed.
Angular Use the `integrity` attribute for all external script and stylesheet imports to prevent unauthorized modifications.
Vue Implement Subresource Integrity by adding the `integrity` attribute to all external resource links.
Svelte Ensure that Svelte applications enforce Subresource Integrity by using properly hashed and integrity-checked external scripts.
Ember Use Subresource Integrity for all external assets by specifying a valid `integrity` hash in script and link elements.
Backbone Apply Subresource Integrity in Backbone applications by ensuring all external resources include the `integrity` attribute.
Preact Implement SRI in Preact applications by adding cryptographic hashes for all externally loaded scripts.
Gatsby Configure Gatsby applications to use the `integrity` attribute for all remote scripts and stylesheets.
Blazor Ensure that Blazor applications enforce SRI by adding integrity attributes to all external resources.
Marko Use Subresource Integrity in Marko applications by ensuring that external resources are validated using cryptographic hashes.
Mithril Ensure that Mithril applications use the `integrity` attribute for all externally loaded resources.