Summary
headersvalidator currently checks HTTP response headers only. SRI (Subresource Integrity, W3C spec) cannot be detected from headers alone — it requires parsing the HTML body to find <script> and <link> tags that load external resources without an integrity attribute.
Proposed behaviour
- After fetching the page, parse the HTML body (e.g. with
html.parser or BeautifulSoup)
- Find all
<script src="..."> and <link rel="stylesheet" href="..."> tags where src/href is a cross-origin URL
- Flag any such tag missing the
integrity attribute as a finding
- Report: list of offending URLs with the tag type and suggested
integrity value (sha256/sha384 hash of the resource)
Status mapping
| Result |
Condition |
FAIL |
One or more cross-origin resources lack integrity |
PASS |
All cross-origin resources have integrity, or none are present |
INFO |
No cross-origin resources found (same-origin only) |
Implementation notes
- New check in
headersvalidator/checker.py (or a dedicated checks/sri.py) following the existing pattern
- I/O boundary: fetch the resource bytes to compute the hash — must be mockable in tests
- Wire into
assessor.py and reporter.py
- Add a row to the README features table and
docs/SECURITY_VERDICT.md
- Add
verdict.py _PRIORITY entry
Reference
Summary
headersvalidatorcurrently checks HTTP response headers only. SRI (Subresource Integrity, W3C spec) cannot be detected from headers alone — it requires parsing the HTML body to find<script>and<link>tags that load external resources without anintegrityattribute.Proposed behaviour
html.parserorBeautifulSoup)<script src="...">and<link rel="stylesheet" href="...">tags wheresrc/hrefis a cross-origin URLintegrityattribute as a findingintegrityvalue (sha256/sha384 hash of the resource)Status mapping
FAILintegrityPASSintegrity, or none are presentINFOImplementation notes
headersvalidator/checker.py(or a dedicatedchecks/sri.py) following the existing patternassessor.pyandreporter.pydocs/SECURITY_VERDICT.mdverdict.py_PRIORITYentryReference