Home / Tools / Add Subresource Integrity (SRI) to third-party scripts
Content & Files · Scan Check Guide

Add Subresource Integrity (SRI) to third-party scripts

30 min Impact: medium Effort: medium ✓ Scan-verified — no manual checkbox

Subresource Integrity lets you tell the browser exactly what a third-party script or stylesheet SHOULD contain (a cryptographic hash) — without it, if that third-party CDN is ever compromised, the malicious replacement script loads on your site with zero warning, running with full access to your page.

Loading a script from a CDN means trusting that CDN never gets compromised. An integrity attribute makes the browser verify the file matches an exact hash before running it — if the CDN is ever compromised, the script simply fails to load instead of running malicious code on your site.

How to fix it

  1. 1
    Identify third-party scripts and stylesheets you load
    Any <script> or <link> tag pointing to an external CDN (jQuery, analytics libraries, font services, ad tags).
  2. 2
    Generate an integrity hash for each
    Most CDNs (cdnjs, jsDelivr) provide the SRI hash directly alongside their embed code — copy it as given.
  3. 3
    Add the integrity and crossorigin attributes
    <script src="..." integrity="sha384-..." crossorigin="anonymous"> — the browser will refuse to run the script if its actual content doesn't match the hash.
  4. 4
    Update hashes whenever you update the library version
    A new version of a library has a different hash — SRI will correctly BLOCK it as "tampered" if you forget to update the hash alongside the version.

Common mistakes

How you'll know it's done

All third-party scripts and stylesheets carry a matching integrity attribute.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →