SRI Hash Generator

Generate SHA-256, SHA-384, and SHA-512 Subresource Integrity hashes for scripts and stylesheets. Get ready-to-use integrity attributes and full HTML tags.

Paste file content above to generate SRI hashes.

How to Use the SRI Hash Generator

  1. Text / Paste: Copy the content of a CDN-hosted JavaScript or CSS file and paste it into the text area. Hashes update in real time.
  2. File Upload: Drag and drop a .js or .css file, or click to browse. The file is read locally β€” nothing is uploaded.
  3. URL Check: Enter a CDN URL and click Fetch & Hash. Your browser downloads the file directly and computes the hash client-side.
  4. Choose algorithm: Select SHA-256, SHA-384 (recommended), or SHA-512 from the dropdown. This affects the generated HTML tags.
  5. Enter resource URL: Add the CDN URL in the Resource URL field to get complete, ready-to-paste <script> and <link> tags.
  6. Copy: Use the Copy buttons on each block to grab individual values.

What is Subresource Integrity?

Subresource Integrity (SRI) is a W3C security standard (supported in all modern browsers since 2016) that protects websites against supply chain attacks via CDN compromise. When you load a script or stylesheet from a third-party CDN, you are trusting that CDN not to modify the file. If the CDN is compromised β€” through a security breach, BGP hijack, or DNS poisoning β€” an attacker could serve malicious code to every website that uses that CDN resource. SRI eliminates this risk by allowing browsers to verify file integrity before executing or applying it.

How SRI Works

When a browser encounters a <script> or <link> tag with an integrity attribute, it:

  1. Downloads the resource from the CDN as normal
  2. Computes the cryptographic hash of the downloaded bytes
  3. Compares it to the hash in the integrity attribute (Base64-encoded)
  4. Executes or applies the resource only if the hashes match
  5. Blocks and logs a CSP violation if the hashes do not match

The integrity attribute format is algorithm-base64hash, for example: sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC.

Which Algorithm to Choose

The SRI specification supports SHA-256, SHA-384, and SHA-512 β€” all from the SHA-2 family. SHA-1 and MD5 are explicitly disallowed because they are cryptographically broken.

  • SHA-384 β€” the industry recommendation for SRI. Stronger than SHA-256 with a 384-bit output, producing a 64-character Base64 string.
  • SHA-256 β€” acceptable, produces a 44-character Base64 string. Still considered secure for this use case.
  • SHA-512 β€” highest security margin, 86-character Base64 string. Marginally slower on some hardware.

You can include multiple integrity values separated by a space. The browser will use the strongest algorithm it supports: integrity="sha256-... sha384-...". This is useful for progressive enhancement during a migration.

SRI and the crossorigin Attribute

When using SRI with resources on a different origin (i.e., any CDN URL), you must also add crossorigin="anonymous" to the tag. Without it, the browser cannot perform a CORS request, and the SRI check will fail even if the hash is correct. The generated tags in this tool include this attribute automatically. Same-origin resources (files on your own domain) do not need the crossorigin attribute for SRI to work, but it doesn't hurt to include it for consistency.

SRI and Content Security Policy

SRI pairs well with Content Security Policy (CSP). While CSP controls which origins can serve resources, SRI verifies the exact content of those resources. Together, they form a robust defense-in-depth strategy. Many security frameworks, including OWASP guidelines, recommend both CSP and SRI for any website that loads external scripts. When SRI blocks a resource, the browser fires a securitypolicyviolation event that you can capture with a CSP report-uri or report-to directive for monitoring.

Practical CDN Workflow

When updating a CDN library version, always regenerate the SRI hash. The hash is tied to exact byte content β€” even a single character difference produces a completely different hash. CDNs like jsDelivr publish pre-computed SRI hashes on their package pages, but generating the hash yourself gives you an independent verification that the CDN is serving what it claims. Use the URL Check tab in this tool to fetch and hash CDN resources directly. Pair this tool with our Hash Generator for general file integrity verification or our Basic Auth Header Generator for authenticating to private CDNs.

Browser Support

SRI is supported in Chrome 45+, Firefox 43+, Safari 11.1+, Edge 17+, and Opera 32+. Internet Explorer does not support SRI; the browser simply ignores the integrity attribute and loads the resource normally. For IE11 users, SRI provides no protection, but it also does not break anything. All other major browsers in use today fully support SRI for both scripts and stylesheets.

Frequently Asked Questions

Subresource Integrity (SRI) is a browser security feature that lets you verify that files fetched from a CDN or third-party host have not been tampered with. You add an integrity attribute containing a cryptographic hash to your <script> or <link> tags. Before executing or applying the resource, the browser computes the hash of the downloaded file and compares it to the value in the integrity attribute. If they don't match, the browser blocks the resource.
SHA-384 is the recommended algorithm for SRI. It provides a strong security margin and is well-supported in all modern browsers. SHA-256 is acceptable but offers less collision resistance. SHA-512 provides the highest security but produces the longest hash strings. You can include multiple hash values separated by spaces (e.g. integrity="sha256-... sha384-...") and the browser will use the strongest supported algorithm.
Most major CDNs publish SRI hashes alongside their hosted files. jsDelivr (jsdelivr.com) shows integrity attributes on every package page. cdnjs.cloudflare.com includes the hash next to download links. The official Bootstrap and jQuery download pages also list SRI hashes. You can also generate them yourself with this tool by pasting the file content or using the URL Check tab.
No. SRI requires the file content to be identical every time it is served. If a server generates slightly different output on each request (timestamps, random nonces, personalized content), the hash will never match and the browser will block the resource. SRI is designed for static, versioned assets such as npm packages served from a CDN. For dynamic resources, use Content Security Policy (CSP) nonces instead.
No. This SRI hash generator runs 100% in your browser using the Web Crypto API (SubtleCrypto). Pasted text and dropped files are processed entirely in memory. Nothing is uploaded to any server. There is no logging, no cloud processing, and no data retention of any kind.