SEC-006 recommended Security Headers

Subresource Integrity (SRI) and GTM controls

External scripts from CDNs must have integrity hashes (SRI). If Google Tag Manager is used, access must be controlled since GTM cannot have SRI.

Question to ask

"Who has access to inject scripts via GTM right now?"

Pass criteria

  • All external CDN scripts have integrity attribute
  • crossorigin="anonymous" present with integrity
  • GTM access restricted and audited (if GTM in use)

Fail criteria

  • External CDN scripts missing SRI
  • GTM in use with no access controls
  • No CSP restrictions on script sources

Verification guide

Severity: Recommended (Critical if third-party CDNs or uncontrolled GTM)

Check automatically:

  1. Check HTML for integrity attributes:
# Fetch page and look for integrity attributes
curl -s https://example.com | grep -oE '<(script|link)[^>]*(integrity="sha[^"]+")[^>]*>'

# Find external scripts WITHOUT integrity (excluding GTM)
curl -s https://example.com | grep -oE '<script[^>]*src="https?://[^"]*cdn[^"]*"[^>]*>' | grep -v 'integrity='
  1. Check for GTM usage:
# Detect GTM
curl -s https://example.com | grep -oE 'googletagmanager.com/gtm.js\?id=GTM-[A-Z0-9]+'
  1. Check build system for SRI support:
# Look for SRI in build config
grep -riE "integrity|sri" . --include="*.js" --include="*.ts" --include="*.json" --include="webpack*" --include="vite*" 2>/dev/null | head -10
  1. Check CSP for script restrictions:
curl -sI https://example.com | grep -i "content-security-policy"
# Look for script-src restrictions

External scripts requiring SRI:

  • CDN-hosted libraries (jQuery, Bootstrap, lodash, etc.)
  • Font libraries (Google Fonts CSS)
  • Any script not from your origin

GTM-specific checks (GTM cannot have SRI - Google updates it dynamically):

  • CSP script-src: Restrict domains GTM can load from
  • GTM access audit: Who has access to add tags?
  • Custom templates only: Use GTM's sandboxed templates, not custom HTML
  • Server-side GTM: Consider for sensitive data

Ask user if GTM detected:

  • Who has access to the GTM container?
  • Is GTM access audited regularly?
  • Are custom HTML tags allowed, or only approved templates?
  • Is server-side GTM in use?

Cross-reference with:

  • Section 30 (API Security) - CSP headers
  • Section 15 (Admin Security) - GTM access is admin-level access

Pass criteria:

  • All external CDN scripts have integrity attribute
  • crossorigin="anonymous" present alongside integrity
  • If GTM in use:
    • GTM container access is restricted and audited
    • CSP limits script sources
    • Custom HTML tags disabled or require review

Fail criteria:

  • External CDN scripts missing SRI
  • GTM in use with no access controls
  • Anyone can add arbitrary scripts via GTM
  • No CSP restrictions on script sources

Evidence to capture:

  • List of external scripts with/without SRI
  • GTM container ID (if present)
  • GTM access list
  • CSP header value

Section

13. Infrastructure Security

Observability

← Previous

SEC-005

HTTPS-only headers (HSTS)

 Next →

SEC-007

SSL transparency reports