Supply Chain Security

Third-Party Script Security

Most modern websites rely on dozens of external scripts. Learn how to ensure those scripts aren't becoming a back door for hackers.

Audit External Scripts

01 The Supply Chain Threat

A supply chain attack happens when an attacker compromises a vendor you trust. If your analytics provider, ad network, or CSS library is hacked, the malicious code is automatically served to your visitors, bypassing all your server-side security.

02 Taking a Script Inventory

You can't secure what you can't see. Use the browser's Network tab or an automated scanner to list every external domain your site connects to. Often, you'll find 'ghost' scripts from old marketing campaigns that are still being loaded.

03 Subresource Integrity (SRI)

SRI allows you to provide a cryptographic hash for every script tag. If the script on the CDN changes even by a single byte, the browser will refuse to execute it. This is your best defense against CDN hacks.

<script src=\"...\" integrity=\"sha384-...\" crossorigin=\"anonymous\"></script>

04 CSP Script Policies

Use the script-src directive in your Content Security Policy to whitelist only the domains you trust. This prevents 'shadow IT' and unauthorized scripts from being injected into your site via XSS or other means.

05 Ongoing Monitoring

New scripts are often added during development or by marketing teams. Regular security audits ensure that every new dependency is vetted and follows your security standards (like having SRI and being allowed by CSP).

06 Frequently Asked Questions

What is a supply chain attack in web security?

It's an attack where a hacker compromises a third-party service (like an analytics script or a CDN) that your website depends on, allowing them to inject malicious code into your site without hacking your server directly.

What is SRI (Subresource Integrity)?

SRI is a security feature that enables browsers to verify that resources they fetch are delivered without unexpected manipulation. It uses a cryptographic hash to ensure the script content hasn't changed.

How many third-party scripts are too many?

There's no magic number, but every script adds a potential point of failure and a performance cost. A good rule of thumb is to only use scripts that provide essential functionality.

Vet Your External Scripts

See exactly which third-party services your site is using.

Run Script Security Audit