This rule flags remote scripts and resources that are loaded without a cryptographic integrity check.
When a web application loads a script or resource from a remote host without verifying its integrity, it relies entirely on that remote host being
trustworthy and uncompromised.
This rule raises an issue when an HTML <script> tag uses a remote src attribute without a corresponding
integrity attribute, or when JavaScript code dynamically creates a script element without setting its .integrity
property.
Note that downloading an artifact over HTTPS only protects it while in transit. It does not ensure the authenticity or security of the artifact itself.
If the remote source or its CDN is compromised, an attacker can silently replace the artifact with malicious code that executes in every visitor’s browser or on the server.
Client-side malware injected this way can impersonate users, capture credentials and session tokens, harvest sensitive personal data, or silently mine cryptocurrency in the background.
On the server side, a tampered artifact can access and modify sensitive business data, escalate privileges on the underlying operating system, or use the compromised application as a pivot to attack the local network.
The following code does not include an integrity check, which means any change to the remote artifact — whether by its author or an attacker — will execute unverified in the application. It also loads the resource from a mutable URL, so an integrity hash alone is not enough: the URL must be pinned to a specific version.
let script = document.createElement("script");
script.src = "https://cdn.example.com/latest/script.js"; // Noncompliant
script.crossOrigin = "anonymous";
document.head.appendChild(script);
let script = document.createElement("script");
script.src = "https://cdn.example.com/v5.3.6/script.js";
script.integrity = "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC";
script.crossOrigin = "anonymous";
document.head.appendChild(script);