Subresource Integrity (SRI) protects against compromised CDNs. Add integrity="sha384-..." (the base64-encoded SHA-384 hash of the expected asset) and crossorigin="anonymous" to every <script src="https://cdn.example.com/..."> and third-party <link rel="stylesheet">. The browser refuses to execute the asset if the downloaded bytes don't match the hash.
Without SRI, a CDN compromise (or a DNS hijack of the CDN's hostname) lets the attacker swap your jQuery or Google Analytics for a malicious version that runs in your origin's security context. With SRI, the browser blocks the swap with a console error.
Generate hashes with openssl dgst -sha384 -binary asset.js | openssl base64 -A. Many CDN providers (cdnjs, jsDelivr) publish the SRI hash alongside the URL; copy it.