Configuration: Subresource Integrity Missing¶

Identifier: subresource_integrity_missing

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Not including an SRI attribute when pulling in external scripts means you have no way to verify those resources haven't been tampered with. If an attacker alters an external script, they can inject malicious code that runs alongside your sites content, potentially stealing data or compromising users. Developers sometimes skip SRI because they assume trusted sources are always secure, which leaves room for attack if that trust is broken. This shortfall can lead to significant security risks if not addressed.

References:

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Configuration¶

Example¶

Example configuration:

---
security_tests:
  subresource_integrity_missing:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.