Verify Subresource Integrity


The application must verify the integrity of all externally hosted resources and dependencies using Subresource Integrity (SRI).


Applications often use resources or have dependencies that are hosted on external servers such as a content delivery network (CDN). Applications must validate the integrity of such assets using Subresource Integrity (SRI), in case those systems are compromised.


  • CAPEC-148: Content Spoofing: An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged.

  • CAPEC-154: Resource Location Spoofing: An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.

  • CAPEC-165: File Manipulation: An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application.

  • CWE-353: Missing Support for Integrity Check: The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

  • CWE-494: Download of Code Without Integrity Check: The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

  • OWASP-ASVS v4.0.1 V10.3 Deployed Application Integrity Controls.(10.3.1): Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update.

  • OWASP-ASVS v4.0.1 V10.3 Deployed Application Integrity Controls.(10.3.2): Verify that the application employs integrity protections, such as code signing or sub-resource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet.

  • OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.3): Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset.