Do your third-party scripts carry integrity hashes so the browser can detect tampering?
Checks that scripts and stylesheets loaded from outside your domain have hash attributes proving they have not been altered.
What this signal tests
Subresource Integrity, or SRI, lets you pin the exact contents of any external script or stylesheet your page loads. By adding an integrity attribute with a SHA-256, SHA-384, or SHA-512 hash to each external tag, the browser refuses to run the file if its contents have been modified, even by one byte. We scan your page for cross-origin scripts and stylesheets and check that at least 80% carry a valid integrity attribute plus a crossorigin attribute.
Why it matters for your visibility in AI
Third-party scripts are a common path for supply-chain compromise. Attackers who breach a CDN, a tag manager vendor, or an analytics provider can inject malicious code that runs in your visitors' browsers without you noticing. SRI makes that attack visible: the moment the script's hash no longer matches what you pinned, the browser refuses to execute it. AI trust scorers treat SRI presence as evidence of supply-chain hygiene because it is one of the few signals that genuinely raises the cost of a stealthy compromise. The consequence of missing SRI is operational fragility. You depend on every third-party domain you load from being itself uncompromised, which is a chain of trust you do not control. Even reputable CDNs and tag managers have been breached. For sites in regulated sectors (finance, healthcare, e-commerce), missing SRI is a recurring audit finding and a visible negative in trust assessments.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| >=80% of cross-origin script/link have valid integrity + crossorigin. |
How we test it
We parse your page's HTML and find every <script src=...> and <link rel="stylesheet" href=...> whose source is on a domain different from yours. For each, we check whether an integrity attribute is present and matches the expected format (sha256-, sha384-, or sha512- followed by a Base64 hash). We also check for a crossorigin attribute, which the spec requires alongside integrity. If 80% or more of cross-origin assets satisfy both checks, the signal passes.
Show technical detection method
For each external script/link, verify integrity matches ^(sha256|sha384|sha512)-[A-Za-z0-9+/=]+$ and crossorigin present.
If your site fails: how to fix it
- List every cross-origin script and stylesheet your pages load. Common examples: jQuery from a CDN, Google Tag Manager, a font provider, an analytics snippet, a chat widget.
- For each, generate the SRI hash. The free tool at srihash.org accepts a URL and returns the full attribute. Tools like webpack-subresource-integrity, html-webpack-plugin, or your CDN's native SRI feature can automate this for build-time assets.
- Add the integrity attribute and crossorigin="anonymous" to each tag. Example: `<script src="https://cdn.example.com/lib.js" integrity="sha384-..." crossorigin="anonymous"></script>`.
- Be careful with assets that change frequently. If a third-party provider serves a moving-target URL (like Google Tag Manager's gtm.js), pinning the hash will break the script every time the provider updates it. Either accept that trade-off, host a vendored copy you control, or use a stable URL with a fixed version.
- Validate by deliberately modifying a hash and confirming the browser refuses to load the script in DevTools. Then restore the correct hash and re-run the AI Ready Test scan.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | medium |
| Category | Trust & Provenance |
Primary sources
Related signals
Frequently asked questions
Will I need IT help to fix this?
Yes, mostly. SRI is a template-level change and requires a developer to add and maintain the attributes. Build-tool plugins can automate hash generation for assets you control, which reduces the maintenance burden significantly.
What about scripts that update themselves frequently?
SRI does not fit moving-target URLs by design. For frequently updated third-party scripts, either accept that you cannot SRI-pin them, vendor a snapshot to your own CDN, or use the third party's versioned URLs (most major libraries publish version-pinned paths). Mix and match per script.
Does adding SRI affect page speed?
Negligibly. Browsers compute the hash as part of normal parsing, in parallel with rendering. The added bytes for the attribute are a few dozen per tag. Performance impact is unmeasurable on real sites.
How long until the change takes effect?
Immediately on the next page render. The browser enforces SRI on every page load. There is no propagation. You will see the result on the next request to your own site.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.