Fetching external resources, for example from a CDN, without verifying their integrity could impact the security of an application if the CDN gets
compromised and resources are replaced by malicious ones. Resources integrity feature will block resources inclusion into an application if the
pre-computed digest of the expected resource doesn’t match with the digest of the retrieved resource.
Ask Yourself Whether
- The resources are fetched from external CDNs.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
- implement resources integrity checks for all static resources (where "static" means that the resource’s content doesn’t change dynamically
based on the browser)
- use versioned resources instead of using "latest" version of the resources
Sensitive Code Example
<script src="https://cdnexample.com/script.js"></script> <!-- Sensitive -->
<script src="https://cdnexample.com/script.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"></script> <!-- Compliant: integrity value should be replaced with the digest of the expected resource -->