SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

SRI01 Missing Subresource Integrity

What this means

SiteShadow flagged external <script> / <link> assets (typically from CDNs) that are included without Subresource Integrity (SRI) hashes.

Why it matters

Without SRI, compromised CDN assets can execute malicious code in your app.

Safer examples

1) Add SRI + crossorigin for CDN assets

<script
  src="https://cdn.example.com/lib.min.js"
  integrity="sha384-BASE64_HASH_HERE"
  crossorigin="anonymous"
></script>

2) Self-host critical assets

If you can't reliably manage SRI, bundling/self-hosting reduces external dependency risk.

3) Pin versions (don't use "latest")

Pin CDN URLs to exact versions so the content is predictable.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.