Your Website Is Running Code You’ve Never Seen - Scott Helme - NDC Security 2026

Third-party JavaScript is the most-loaded resource type from external origins, yet most organizations have no visibility into what code actually runs in their users' browsers. Attackers exploit this blind spot by compromising smaller vendors (via stolen S3 or Google Tag Manager credentials) to inject keyloggers and data skimmers into high-value sites — responsible for breaches at British Airways, Ticketmaster, and a $1.46B Bybit crypto theft. Practical defenses include: deploying Content Security Policy in report-only mode to audit all client-side dependencies without risk; using the new CSP report-sha256 directive to fingerprint loaded scripts and detect changes; applying Subresource Integrity (SRI) on all static third-party script tags; and using the Integrity Policy header to enforce SRI coverage across the site. Additional complementary headers — Permissions Policy, COEP, COOP, and Clear-Site-Data — further restrict what third-party scripts can access. Signature-based SRI (in development) promises to extend these protections to dynamic dependencies by embedding vendor public keys instead of static hashes.