` tag must carry an SRI `integrity` hash and * `crossorigin="anonymous"` so the browser refuses to execute the JS * if a CDN compromise or in-flight content modification serves * different bytes. */ final class DocsControllerTest extends AppTestCase { public function testDocsPageEmbedsRapiDocWithSriIntegrity(): void { $resp = $this->request('GET', '/api/docs'); self::assertSame(200, $resp->getStatusCode()); self::assertStringContainsString('text/html', $resp->getHeaderLine('Content-Type')); $html = (string) $resp->getBody(); // Script tag points at the locked RapiDoc version. self::assertStringContainsString( 'https://cdn.jsdelivr.net/npm/rapidoc@9.3.4/dist/rapidoc-min.js', $html, ); // Integrity hash present and well-formed (sha384- + base64). self::assertMatchesRegularExpression( '/integrity="sha384-[A-Za-z0-9+\/=]{64}"/', $html, 'expected sha384 SRI on the rapidoc