security-alliance · mattaereal · Apr 21, 2026 · Apr 10, 2026 · Apr 14, 2026 · Apr 14, 2026
diff --git a/docs/pages/front-end-web-app/index.mdx b/docs/pages/front-end-web-app/index.mdx
@@ -13,6 +13,7 @@ title: "Front End Web App"
 
 - [Front-End Web Application Security](/front-end-web-app/overview)
 - [Web Application Security](/front-end-web-app/web-application-security)
+- [Third-Party Script Security](/front-end-web-app/third-party-script-security)
 - [Mobile Application Security](/front-end-web-app/mobile-application-security)
 - [Common Web Vulnerabilities](/front-end-web-app/common-vulnerabilities)
 - [Security Tools & Resources](/front-end-web-app/security-tools-resources)
diff --git a/docs/pages/front-end-web-app/overview.mdx b/docs/pages/front-end-web-app/overview.mdx
@@ -25,8 +25,9 @@ as they could, for example, start interacting with a malicious contract instead
 
 1. [Web Application Security](/front-end-web-app/web-application-security)
 2. [Mobile Application Security](/front-end-web-app/mobile-application-security)
-3. [Common Vulnerabilities](/front-end-web-app/common-vulnerabilities)
-4. [Security Tools and Resources](/front-end-web-app/security-tools-resources)
+3. [Third-Party Script Security](/front-end-web-app/third-party-script-security)
+4. [Common Vulnerabilities](/front-end-web-app/common-vulnerabilities)
+5. [Security Tools and Resources](/front-end-web-app/security-tools-resources)
 
 ---
 

diff --git a/docs/pages/front-end-web-app/third-party-script-security.mdx b/docs/pages/front-end-web-app/third-party-script-security.mdx
diff --git a/docs/pages/supply-chain/dependency-awareness.mdx b/docs/pages/supply-chain/dependency-awareness.mdx
@@ -381,6 +381,8 @@ contracts and their imported libraries, see
 - [Snyk Vulnerability Database](https://security.snyk.io/): Searchable database of known vulnerabilities
 - [Cargo Security Advisories](https://rustsec.org/): Rust security advisory database and `cargo-audit`
 - [Go Vulnerability Database](https://vuln.go.dev/): Official Go vulnerability tracking and `govulncheck`
+- [Third-Party Script Security](/front-end-web-app/third-party-script-security): Runtime integrity controls (Content
+  Security Policy, Subresource Integrity, self-hosting) that complement build-time dependency practices
 
 ---
 

diff --git a/docs/pages/supply-chain/web3-supply-chain-threats.mdx b/docs/pages/supply-chain/web3-supply-chain-threats.mdx
@@ -56,6 +56,9 @@ the user's browser.
 
 For practices to defend against these attacks, see [Dependency Awareness](/supply-chain/dependency-awareness).
 
+For runtime integrity verification using Subresource Integrity and Content Security Policy, see
+[Third-Party Script Security](/front-end-web-app/third-party-script-security).
+
 ### Wallet Connector Library Hijacking
 
 Wallet connector libraries are a particularly high-value target because they sit at the exact point where user intent
@@ -69,6 +72,9 @@ meets transaction construction.
 
 For wallet-specific security practices, see the [Wallet Security](/wallet-security/overview) framework.
 
+For browser-level controls that would have blocked execution of the tampered library, see
+[Third-Party Script Security](/front-end-web-app/third-party-script-security).
+
 ### CDN and Hosting Compromise
 
 An attacker who compromises your hosting provider or poisons a CDN cache can serve tampered JavaScript to all users
@@ -78,8 +84,10 @@ without touching your repository.
   signing with fund redirection.
 - **CDN cache poisoning** can serve malicious scripts even if your origin server is clean.
 
-For DNS hardening, registrar locks, and monitoring, see the
-[Domain & DNS Security](/infrastructure/domain-and-dns-security/overview) framework.
+For DNS hardening, registrar locks, and monitoring, see the [Domain & DNS Security](/infrastructure/domain-and-dns-security/overview) framework.
+
+For browser-level defenses against CDN and hosting compromise, including Content Security Policy, Subresource Integrity, and self-hosting
+strategies, see [Third-Party Script Security](/front-end-web-app/third-party-script-security).
 
 ## Smart Contract Dependency Risks
 
@@ -252,6 +260,8 @@ For hardware wallet security guidance, see the [Wallet Security](/wallet-securit
   [Vendor Risk Management](/supply-chain/vendor-risk-management) guide
 - Track real-time exploit data and historical incidents on the
   [DeFiLlama Hacks Dashboard](https://defillama.com/hacks)
+- [Third-Party Script Security](/front-end-web-app/third-party-script-security): Runtime integrity controls (Content
+  Security Policy, Subresource Integrity, self-hosting) that complement build-time dependency practices
 
 ---
 

diff --git a/utils/fetched-tags.json b/utils/fetched-tags.json
@@ -413,6 +413,10 @@
       "Engineer/Developer",
       "Security Specialist"
     ],
+    "/front-end-web-app/third-party-script-security": [
+      "Engineer/Developer",
+      "Security Specialist"
+    ],
     "/front-end-web-app/web-application-security": [
       "Engineer/Developer",
       "Security Specialist"

diff --git a/vocs.config.tsx b/vocs.config.tsx
@@ -175,6 +175,7 @@ const config = {
           items: [
             { text: 'Overview', link: '/front-end-web-app/overview', dev: true },
             { text: 'Web Application Security', link: '/front-end-web-app/web-application-security', dev: true },
+            { text: 'Third-Party Script Security', link: '/front-end-web-app/third-party-script-security', dev: true },
             { text: 'Mobile Application Security', link: '/front-end-web-app/mobile-application-security', dev: true },
             { text: 'Common Vulnerabilities', link: '/front-end-web-app/common-vulnerabilities', dev: true },
             { text: 'Security Tools and Resources', link: '/front-end-web-app/security-tools-resources', dev: true },