Skip to main content
Vantyris
`. The `crossorigin` attribute is required for SRI to work cross-origin."},{"@type":"HowToStep","position":5,"name":"Test in a staging environment first","text":"If the hash is wrong, the browser refuses to load the script. Your site breaks silently for visitors. Verify in DevTools that no script is blocked before shipping to production."}]}

Supply chain

Subresource Integrity: the third-party script defence most sites skip.

Published 2026-05-11 · Last updated 2026-05-11 · Vantyris editorial

Most small business sites load five to twenty scripts from third-party CDNs: analytics, fonts, A/B testing, chat widgets, payment SDKs. Every one of those is a supply-chain risk: if the CDN gets compromised, your site executes whatever malicious code the attacker swaps in, in your visitors' browsers, under your domain. Subresource Integrity (SRI) is the one-line browser-level defence that closes this. It takes minutes to add and stops 100% of the attack class.

What this means for your business

How to fix

Add an `integrity` attribute with an SHA-384 hash and `crossorigin="anonymous"` to every external script and stylesheet tag. Use the CDN's published hash, or compute one with `openssl`.

  1. List your external scripts. Open Chrome DevTools → Network → reload. Filter by JS + CSS. Note every domain that isn't yours. Common ones: cdnjs.cloudflare.com, jsdelivr.net, unpkg.com, fonts.googleapis.com, google-analytics.com, googletagmanager.com.
  2. Decide which scripts you control the version of. SRI requires the file at the URL never changes. That works for pinned-version URLs (cdn.example.com/library@1.2.3/dist.js). It does NOT work for unpinned URLs (cdn.example.com/library/latest/dist.js). And it does NOT work for dynamic scripts like Google Analytics (gtag.js), where Google updates the file regularly. Skip those.
  3. Generate or copy the SRI hash for each pinned script. Most CDNs publish SRI hashes on their official pages (cdnjs.cloudflare.com shows them next to the URL). Or compute locally: `curl -sL <url> | openssl dgst -sha384 -binary | openssl base64 -A`. Prefix with `sha384-`.
  4. Update each script and stylesheet tag. Add the attributes: `<script src="https://cdnjs.cloudflare.com/library@1.2.3/dist.js" integrity="sha384-<hash>" crossorigin="anonymous"></script>`. The `crossorigin` attribute is required for SRI to work cross-origin.
  5. Test in a staging environment first. If the hash is wrong, the browser refuses to load the script. Your site breaks silently for visitors. Verify in DevTools that no script is blocked before shipping to production.

Owner: Your developer. · Time: 15-30 minutes for a typical site with 5-10 external scripts.

Common gotchas

How to verify the fix

Run a Vantyris scan; the Supply chain category lists every external script and flags ones without SRI. Or use Mozilla Observatory (observatory.mozilla.org), which has its own SRI check.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Is SRI worth the effort for a small site?

Yes. The fix is one attribute per script tag, takes minutes, and protects against an entire attack class. Compared to most security work, it's high-leverage.

Should I host third-party scripts on my own server instead?

Sometimes. Self-hosting eliminates the CDN supply-chain risk entirely. The tradeoff: you lose the caching benefit (visitors who already loaded the script from the CDN on another site don't get it from cache on yours). For low-traffic sites, self-host. For traffic-sensitive sites, use SRI with the CDN.

What if the third party updates their script and breaks my site?

That's the cost-benefit of SRI. With SRI, you choose when to upgrade. Without it, the CDN can change the file under you any time. Most sites prefer the explicit upgrade.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0