A Comparative Analysis of Subresource Integrity (SRI) vs. Content Security Policy (CSP) for Resource Integrity Verification: A Comparative Study of SRI and CSP Effectiveness
2025 (English)Independent thesis Basic level (professional degree), 12 credits / 18 HE credits
Student thesis
Abstract [en]
Background: Web applications increasingly rely on third-party resources, introducing significant security challenges. Attackers can exploit vulnerabilities in resource integrity to inject malicious code, steal user data, or disrupt functionality. SubresourceIntegrity (SRI) and Content Security Policy (CSP) are two security mechanisms designed to mitigate these risks by ensuring the integrity of external resources and controlling content execution. However, their effectiveness in preventing web-based attacks remains a topic of discussion.
Objectives: This research aims to conduct a comparative analysis of SRI and CSP to evaluate their roles in verifying resource integrity and preventing web-based attacks. The study seeks to determine their respective strengths, limitations, and practical applications in enhancing web security.
Methods: This study employs a qualitative approach, combining a literature review with attack simulations. The literature review identifies key strengths, limitations, and implementation challenges of SRI and CSP. The attack simulations are designed based on real-world vulnerabilities, testing both mechanisms against common threats, including XSS, resource tampering, and man-in-the-middle (MITM) attacks.
Results: The findings reveal that SRI effectively prevents resource tampering attacks, but is limited to static external resources and does not protect against inline script injection. CSP, when correctly configured, mitigates a broader range of threats, including inline script execution and mixed-content attacks. However, misconfiguration, such as allowing ’unsafe-inline’ scripts, can render CSP ineffective.
Conclusion: The study underscores the necessity of combining SRI and CSP for a layered security approach. SRI is highly effective for ensuring resource integrity, while CSP provides broader content control but requires careful configuration. The findings highlight the critical need for improved developer education and tooling to facilitate proper implementation. Future research should explore automation and integration strategies to enhance the adoption and effectiveness of these security mechanisms in modern web applications.
Place, publisher, year, edition, pages
2025. , p. 47
Keywords [en]
Subresource Integrity (SRI), Content Security Policy (CSP), web security, resource integrity, attack simulation
National Category
Security, Privacy and Cryptography
Identifiers
URN: urn:nbn:se:bth-27591OAI: oai:DiVA.org:bth-27591DiVA, id: diva2:1943650
Subject / course
DV1583 Degree Project for Bachelor of Science in Engineering Computer Science
Educational program
Bachelor of Science in Engineering: Computer Security
Supervisors
Examiners
2025-03-252025-03-112025-12-16Bibliographically approved