Add Subresource Integrity (SRI) to CDN-loaded Chart.js #10

Open
opened 2026-06-06 19:58:11 +00:00 by tonym · 0 comments

Severity: low
Category: security
Location: templates/index.html:3 (and assets/income/summary)

Problem

Chart.js is loaded from jsDelivr with no integrity hash; a compromised/overwritten CDN asset would run with access to all on-page budget data.

Suggested fix

Add integrity="sha384-..." crossorigin="anonymous", or self-host under static/.

Filed by automated code review.

**Severity:** low **Category:** security **Location:** `templates/index.html:3 (and assets/income/summary)` ### Problem Chart.js is loaded from jsDelivr with no integrity hash; a compromised/overwritten CDN asset would run with access to all on-page budget data. ### Suggested fix Add `integrity="sha384-..." crossorigin="anonymous"`, or self-host under static/. _Filed by automated code review._
tonym added the
security
severity:low
labels 2026-06-06 19:58:11 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bonna61/Moon-Household-Budget#10
No description provided.