SRI/CSP Monitoring Test Application

Test endpoints for validating SRI (Subresource Integrity) and CSP (Content Security Policy) monitoring tools

Test Endpoints

/good

Always returns a correctly configured page:

All external scripts have valid integrity attributes (SHA-384)
Strict CSP header with script-src 'self' 'nonce-...'
Inline script uses valid nonce attribute
All scripts serve variant A (stable content)

Use case: Baseline for "passing" security checks

/bad

Always returns a misconfigured page:

Some scripts missing integrity attribute
One script has invalid/wrong integrity hash
No CSP header (completely missing)
Inline scripts without nonce protection
Inline script with invalid nonce
Data URI script

Use case: Baseline for "failing" security checks

/test

Fully configurable endpoint with query parameters to control behavior:

JavaScript variant selection (A, B, random, or always-changing)
SRI presence and validity probabilities
CSP mode (strict, weak, none, or random)
Inline script variants and nonce validity

Use case: Test specific scenarios and edge cases

Query Parameters for /test

JavaScript Control

Parameter	Values	Default	Description
`js`	`a \| b \| random \| always`	`a`	Global JS mode for all scripts
`analytics`	`a \| b \| random \| always`	(uses `js`)	Override for analytics.js
`utils`	`a \| b \| random \| always`	(uses `js`)	Override for utils.js
`tracker`	`a \| b \| random \| always`	(uses `js`)	Override for tracker.js

JS Modes:

a - Serve variant A (stable, known hash)
b - Serve variant B (stable, different known hash)
random - Randomly pick A or B each request (can flip back and forth)
always - Append timestamp (ALWAYS changes, unique each request)

SRI Control

Parameter	Values	Default	Description
`sri_present`	`0.0 - 1.0`	`1.0`	Probability `integrity` attribute is included
`sri_valid`	`0.0 - 1.0`	`1.0`	When SRI present, probability hash is correct

CSP Control

Parameter	Values	Default	Description
`csp`	`strict \| weak \| none \| random`	`strict`	CSP header mode
`csp_strict_ratio`	`0.0 - 1.0`	`0.5`	When `csp=random`, probability of strict CSP

Inline Script Control

Parameter	Values	Default	Description
`inline`	`none \| all \| nonce_only`	`all`	Which inline scripts to include
`inline_js`	`a \| b \| random \| always`	`a`	Global inline script variant
`inline_basic`	`a \| b \| random \| always`	(uses `inline_js`)	Override for basic inline script
`inline_id`	`a \| b \| random \| always`	(uses `inline_js`)	Override for script with id
`inline_nonce`	`a \| b \| random \| always`	(uses `inline_js`)	Override for nonce script
`inline_data`	`a \| b \| random \| always`	(uses `inline_js`)	Override for data URI script
`inline_nonce_valid`	`0.0 - 1.0`	`1.0`	Probability nonce is valid

Inline Script Types:

<script> - Basic inline script (no nonce)
<script id="..."> - Inline script with id attribute
<script nonce="..."> - Inline script with nonce (valid or invalid)
<script src="data:..."> - Data URI script (base64 encoded)

Example URLs

Baseline good (default)

/test

All variant A, SRI present+valid, strict CSP

All scripts use variant B

/test?js=b

Simulates a coordinated update to all scripts

Random variant selection

/test?js=random

Each request randomly picks A or B (may flip between requests)

Always-changing scripts

/test?js=always

Scripts have unique content every request (timestamp appended)

Mixed script modes

/test?analytics=a&utils=b&tracker=random

Different mode for each script

50% chance SRI missing

/test?sri_present=0.5

Test detection of missing integrity attributes

SRI present but 30% invalid

/test?sri_valid=0.7

Test detection of hash mismatches

Random CSP (70% strict)

/test?csp=random&csp_strict_ratio=0.7

CSP randomly strict or weak each request

Simulate supply chain attack

/test?js=random&sri_present=1&sri_valid=0

JS changes, SRI present but always mismatched

Chaos mode

/test?js=random&sri_present=0.8&sri_valid=0.9&csp=random

Everything random - stress test your monitoring

Inline scripts variant B

/test?inline=all&inline_js=b

All inline scripts use variant B content

Invalid nonce on inline script

/test?inline=all&inline_nonce_valid=0

Nonce-protected inline script has invalid nonce

Only nonce-protected inline script

/test?inline=nonce_only

Include only the nonce-protected inline script

No inline scripts

/test?inline=none

Disable all inline scripts

Response Headers

All endpoints include debug headers for monitoring verification:

X-Test-State: good | bad | mixed
X-Test-Config: js=random;sri_present=0.8;sri_valid=0.9;csp=random
X-JS-Variants: analytics=a;utils=b;tracker=always-1734567890
Cache-Control: no-store, no-cache, must-revalidate

Technical Details

SRI Algorithm: SHA-384
Strict CSP: default-src 'none'; script-src 'self' 'nonce-...'; style-src 'self' 'nonce-...'; ...
Weak CSP: default-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval'; ...