What is Subresource Integrity?

SRI lets the browser verify that a file fetched from a CDN matches a hash you embedded in the tag. If a compromised or malicious CDN alters the file by even one byte, the hash mismatches and the browser refuses to run it.

Which algorithm should I use?

SHA-384 is the widely used default and the one most CDNs publish. SHA-256 and SHA-512 are also valid SRI algorithms. You can even list multiple integrity values separated by spaces and the browser uses the strongest it supports.

Why do I also need crossorigin=anonymous?

For cross-origin resources the browser only enforces integrity when the request is made in CORS mode. Adding crossorigin=anonymous tells it to fetch without credentials in CORS mode so the SRI check can run.

Does the hash have to match the served bytes exactly?

Yes. SRI hashes the raw response body byte-for-byte. If the CDN minifies, re-compresses content differently, or adds a BOM, the hash changes. Generate the hash from the exact file the CDN will serve, and pin a specific version URL.

Is my file uploaded to compute the hash?

No. Hashing uses the browser's Web Crypto API (crypto.subtle.digest) entirely on your device. The file contents never leave your browser.

Subresource Integrity (SRI) Hash Generator

Subresource Integrity (SRI) lets you load a script or stylesheet from a third-party CDN while guaranteeing it has not been tampered with. This tool computes the correct SRI hash from the exact file contents, right in your browser.

How it works

You add an integrity attribute to a <script> or <link> tag containing a base64-encoded cryptographic hash of the file:

<script
  src="https://cdn.example.com/lib.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>

When the browser downloads the file, it hashes the raw response body with the named algorithm and compares the result to your integrity value. If they differ — because a CDN was compromised or a proxy injected code — the browser refuses to execute the file.

This tool reads the bytes you paste or drop, calls crypto.subtle.digest() with SHA-256, SHA-384, and SHA-512, base64-encodes each digest, and formats them as <algo>-<base64>. For cross-origin resources you must also add crossorigin="anonymous" so the fetch happens in CORS mode, which is required for the integrity check to run.

Getting the bytes right

SRI hashes the response byte-for-byte, so the hash must be computed from the exact file the CDN serves. A trailing newline, a byte-order mark, or different minification will all change the hash and cause a (correct) mismatch. Always:

Pin a specific, immutable version URL rather than a @latest alias.
Generate the hash from the precise file at that URL.
Re-generate whenever you bump the version.

Tips

You can list several hashes separated by spaces (integrity="sha384-… sha512-…"); the browser validates against the strongest algorithm it supports.
SHA-384 is the conventional default and what most CDNs publish, but SHA-512 is perfectly valid and stronger.
Nothing is uploaded — hashing happens locally via the Web Crypto API.