Security
SecurityLow

Subresource Integrity

Checks that third-party scripts use SRI hashes to prevent tampering.

What this check measures

We find all `<script src>` pointing to external CDNs and verify each has an `integrity="sha384-..."` hash. Without SRI, a compromised CDN can inject malicious code into your site.

Why it matters

SRI prevents supply-chain attacks on third-party CDNs. Real-world examples: British Airways (Magecart 2018) had customer data stolen via a compromised third-party script. SRI would have blocked it.

search

How our audit detects it

Parse `<script src>` tags. For each external origin, check for integrity attribute with sha256/sha384/sha512 hash.

Typical findings

  • error_outlinejQuery loaded from cdnjs without integrity hash.
  • error_outlineAnalytics/chat scripts without SRI — common attack vector.
  • error_outlineintegrity hash present but crossorigin attribute missing (required).

How to fix

For every external script, generate a hash (https://www.srihash.org/) and add `integrity="sha384-..." crossorigin="anonymous"`. Consider self-hosting critical scripts.

Frequently asked questions

Does SRI break auto-updating CDN scripts?expand_more
Yes — that is the point. If the script changes, the hash mismatches and the browser refuses. Pin to a specific version.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward