nis2
How to fix: Subresource Integrity (NIS2 supply-chain)
NIS2 Art. 21(2)(d)
Why this matters
Third-party scripts loaded by your page can be compromised at the source and silently push malicious code to your visitors. SRI (integrity=) tells the browser to refuse a script whose hash doesn't match — supply-chain defence in one attribute.
Background
<script> and <link> tags loading from third-party CDNs without integrity= attributes are a direct supply-chain risk — if the CDN is compromised (or you typo a URL), your users execute whatever the CDN serves. SRI hashes pin the expected content; the browser refuses to execute on mismatch.
References
W3C SRI · NIS2 Art. 21 (supply chain security)
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
Not an nginx concern — markup responsibility.
apache
Same.
cloudflare
Same.
wordpress
Plugins like Embed Privacy or WP-SRI can auto-add SRI; or self-host third-party scripts.
flask
Use the integrity= attribute in <script>/<link> when loading from a CDN. Generate hash with: openssl dgst -sha384 -binary file.js | openssl base64 -A
express
Same — front-end concern. Many bundlers (webpack-subresource-integrity, vite-plugin-sri) add SRI automatically.
rails
asset_pack_tag / javascript_include_tag accepts integrity options when configured.
Verify it's working
View source, search for <script src= or <link rel=stylesheet from external origins. Each should have integrity= and crossorigin= attributes.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →