Security
Subresource Integrity
Cryptographic hash on every CDN-loaded <script> and <link>. If the file changes, the browser refuses to load it. Cheap defence against supply-chain compromise.
What it is
Subresource Integrity. The integrity= attribute on <script> and <link> elements lets you pin a specific SHA-256/384/512 hash. The browser computes the hash of the fetched bytes and refuses to execute on mismatch.
Why it matters
When a CDN, npm package, or analytics vendor gets compromised, SRI is the difference between 'no impact' and 'every visitor ran attacker code'. Magecart-style supply-chain attacks are why this exists.
Who it applies to
Any site loading scripts or stylesheets from a third-party CDN.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | live |
Related standards
- See also
- CSP 3 , Security headers
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
- guidance MDN — Subresource Integrity
- guidance OWASP — Third-party JavaScript Management