Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

  1. Only load JavaScript from origins you control or that you explicitly trust.

  2. Audit all <script src="..."> tags and JavaScript includes and replace any unnecessary third-party sources with self-hosted copies.

  3. For any remaining third-party scripts, add Subresource Integrity (SRI) attributes:

  4. <script src="https:

    //cdn.example.com/lib.js"

  5. integrity="sha384-<hash>"

  6. crossorigin="anonymous"></script>

  7. Implement a strict Content-Security-Policy that limits script-src to known hosts.

Back to top