Security

SRI Hash Generator

The SRI Hash Generator computes Subresource Integrity (SRI) hash values for external CSS and JavaScript resources. SRI allows browsers to verify that a file loaded from a CDN or third-party server has not been tampered with by comparing the file's hash against the expected value in the integrity attribute. The tool fetches the resource, hashes it with SHA-256, SHA-384, or SHA-512, and outputs the ready-to-use integrity attribute string.

What is Subresource Integrity (SRI)?

Subresource Integrity (SRI) is a browser security feature (W3C specification) that allows web pages to ensure that resources loaded from external sources (CDNs, third-party servers) have not been modified. The integrity attribute in <script> and <link> tags contains a base64-encoded cryptographic hash of the expected file content. Before executing a script or applying a stylesheet, the browser fetches the resource, computes its hash, and compares it against the integrity value. If they do not match, the browser refuses to execute the resource and generates a network error. SRI protects against CDN compromise, supply chain attacks, and accidental delivery of corrupted files.

How does the tool work?

The tool fetches the specified resource URL via a CORS-friendly request (or accepts pasted file content). The raw bytes of the response body are hashed with the selected algorithm (SHA-256, SHA-384, or SHA-512) using the browser's Web Crypto API. The hash digest is Base64-encoded and formatted as an SRI hash string: algorithm-base64hash (e.g. sha384-abc123...). The tool outputs the complete integrity attribute value and a sample HTML tag with the integrity and crossorigin attributes populated. Multiple hash algorithms can be included in one integrity attribute for fallback support.

Typical Use Cases

Generating SRI hashes for CDN-hosted jQuery, Bootstrap, or other libraries before referencing them in HTML
Adding integrity checks to third-party script tags to mitigate supply chain attack risks
Verifying that a CDN file matches the expected content before a production deployment
Generating integrity hashes for self-hosted assets to detect accidental file corruption

Step-by-step Guide

Step 1: Enter the URL of the CSS or JavaScript file you want to hash.
Step 2: Select the hash algorithm (SHA-384 is recommended by the SRI specification).
Step 3: Click 'Generate' to fetch the file and compute the integrity hash.
Step 4: Copy the integrity attribute value and add it to your HTML <script> or <link> tag.

Example

Input

https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css

Output

integrity="sha384-9ndCyUaIbzAi2FUVXJi0CjmCapSmO7SnpJef0486qhLnuZ2cdeRhO02iuK6FUUVM" crossorigin="anonymous"

Tips & Notes

SHA-384 is the algorithm recommended by the SRI specification and is supported by all modern browsers.
Include multiple hashes (sha256- and sha384-) separated by a space in the integrity attribute for maximum compatibility.
The crossorigin='anonymous' attribute is required alongside integrity for cross-origin resources; omitting it causes the SRI check to fail.

Frequently Asked Questions

Why do I need both integrity and crossorigin attributes?

The crossorigin attribute instructs the browser to make a CORS request for the resource, which exposes the response body to the JavaScript origin so the browser can hash it. Without crossorigin, the browser loads the resource without exposing the body, making integrity verification impossible.

Will SRI work if the CDN uses versioned URLs?

Yes. As long as the URL always serves exactly the same file content, the hash remains valid. If the CDN serves different content at the same URL (e.g. a mutable latest link), the hash will fail after any update. Pin to a specific version URL.

Does SRI protect against attacks from the CDN itself?

Yes. If the CDN is compromised and serves a modified file, the hash will not match and the browser will refuse to load the resource. SRI is specifically designed to protect against CDN compromise and supply chain attacks.