Fluid Attacks logo
Login
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO

R330. Verify Subresource Integrity

This document contains the details of the security requirements related to the definition and management of resources and services in the organization. This requirement establishes the importance of using Subresource Integrity to validate the integrity of externally hosted resources.

Requirement

The application must verify the integrity of all externally hosted resources and dependencies using Subresource Integrity (SRI).

Description

Applications often use resources or have dependencies that are hosted on external servers such as a content delivery network (CDN). Applications must validate the integrity of such assets using Subresource Integrity (SRI), in case those systems are compromised.

References

  1. CWE-353: Missing Support for Integrity Check The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

  2. CWE-494: Download of Code Without Integrity Check The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

  3. OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.3) Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset.


Service status - Terms of Use