External Scripts
High SeverityWhat This Check Measures
This check counts the number of external JavaScript files loaded by the page. External scripts are JavaScript files hosted on third-party domains.
Why It Matters
- Supply Chain Attacks — If a third-party CDN is compromised, your site is too
- Data Exfiltration — External scripts can steal user data
- Cryptojacking — Scripts can mine cryptocurrency using visitor CPUs
- Tracking — Third-party scripts often track user behavior
- Performance — Each external script adds network requests and latency
- Single Point of Failure — If the external server is down, scripts fail
How Data Is Obtained
Source File
src/checks/safety.check.js
Function
SafetyCheck.analyze(url)
Input
response.data — The HTML content returned by the target URL
Detection Logic
// Count external script tags with src attribute
const externalScripts = (response.data?.match(/<script[^>]+src=/gi) || []).length;
checks.push({
name: 'External Scripts',
status: externalScripts > 0 ? 'warn' : 'pass',
description: externalScripts > 0
? `${externalScripts} external scripts - verify they're from trusted sources`
: 'No external scripts',
severity: 'high'
});Libraries
axios— Fetches the page HTML- Native JavaScript
String.match()with regex
Status Values
| Status | Condition | Meaning |
|---|---|---|
| pass | No external scripts | All JavaScript is self-hosted. Maximum control over code execution. |
| warn | 1+ external scripts | Third-party JavaScript detected. Verify sources are trustworthy. |
Severity: High
This check has high severity because:
- External scripts have full access to your page's DOM
- They can read form inputs, cookies, and localStorage
- Supply chain attacks are increasingly common
- Even reputable CDNs can be compromised
Common External Script Sources
Generally Trusted
- Google Analytics / Tag Manager
- Cloudflare CDN
- jQuery from official CDN
- Major framework CDNs (unpkg, cdnjs)
Use Caution
- Unknown analytics services
- Ad networks
- Social sharing widgets
- Chat/support widgets
Security Best Practices
Protecting Against External Script Risks
- Subresource Integrity (SRI) — Add
integrityattribute to verify file hasn't changed - Content Security Policy — Restrict which domains can serve scripts
- Self-host when possible — Download and serve scripts from your own server
- Audit regularly — Review what scripts are loaded and why
- Monitor for changes — Detect if third-party scripts are modified
SRI Example
<script
src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5..."
crossorigin="anonymous">
</script>Impact on Category Score
As a high severity check with warn status, external scripts have a notable negative impact on the Safety & Threats score. The more external scripts detected, the higher the perceived risk.