SRI Hash Generator for Subresource Integrity
This SRI hash generator creates the integrity hash your browser uses to verify that a script or stylesheet loaded from a CDN has not been tampered with. Paste the file content, pick an algorithm, and copy a ready-to-paste <script> or <link> tag.
It is built for front-end and web developers who pull libraries from third-party CDNs and want a Subresource Integrity (SRI) safeguard. Adding an integrity attribute means the browser blocks the resource if its hash does not match — closing off one common supply-chain attack.
How to Generate an SRI Hash
Paste the file content
Copy the full content of the JavaScript or CSS file you want to protect into the Content box. The hash is generated automatically as you type or paste.
Choose an algorithm
Pick SHA-256, SHA-384, or SHA-512. SHA-384 is selected by default and is the recommended choice for SRI.
Set the tag type and URL
Choose script or link as the Tag Type. Add an optional Resource URL — a .js or .css link auto-detects the matching tag type for you.
Copy the output
Copy the Integrity Hash on its own, or the complete HTML tag with the integrity and crossorigin attributes already in place, then paste it into your page.
Features
Multiple Hash Algorithms
Generate SRI hashes with SHA-256, SHA-384, or SHA-512. SHA-384 is the default and the algorithm recommended by the W3C SRI specification.
Auto-Detect Tag Type
Enter a resource URL and the tool picks script for a .js file or link for a .css file — or switch the tag type manually anytime.
Ready-to-Use HTML Tag
Get a complete tag with the integrity and crossorigin="anonymous" attributes already included, so you can paste it straight into your HTML.
Optional Resource URL
Add the CDN URL of the resource and it is dropped into the generated tag's src or href so the output is ready to use as-is.
One-Click Copy
Copy the integrity hash value or the full HTML tag with a single click, with a quick on-screen confirmation each time.
Client-Side Processing
All hashing runs in your browser via the Web Crypto API. Your file content is never sent to a server, keeping it fully private.
Frequently Asked Questions
What is Subresource Integrity (SRI)?
SRI is a browser security feature that verifies files loaded from external sources, such as CDNs, have not been altered. You add an integrity attribute holding the file's expected hash to a <script> or <link> tag; the browser compares it against the downloaded file and blocks the resource if they do not match.
How do I generate an SRI hash?
Paste the exact content of the JavaScript or CSS file into the Content box. The tool hashes it instantly with your chosen algorithm and gives you both the raw integrity hash and a complete HTML tag to copy.
Which hash should I use: SHA-256, SHA-384, or SHA-512?
SHA-384 is recommended by the W3C and is the most widely used algorithm for SRI, giving a strong balance of security and performance. SHA-256 and SHA-512 are also supported by every modern browser, so use whichever your project requires.
Do I need the crossorigin attribute?
Yes. crossorigin="anonymous" is required for SRI to work with resources from a different origin, such as a CDN. Without it the browser cannot verify the integrity of a cross-origin resource — which is why the generated tag includes it for you.
Why is my integrity check failing?
The most common cause is that the file served differs from the content you hashed — even a single changed byte produces a different hash, so re-generate from the exact CDN file. A missing crossorigin attribute or a CDN that does not send the Access-Control-Allow-Origin header will also make verification fail. Most major CDNs (jsDelivr, cdnjs, unpkg) already support CORS.
Can I add SRI to a CDN script?
Yes — that is the main use case. Generate the hash from the CDN file's content, paste in the resource URL, and copy the ready-made tag. The SRI spec also allows multiple hashes in one tag separated by spaces (for example sha256-… sha384-…); this tool produces one hash at a time, which you can combine manually if you want fallbacks.
No comments yet. Be the first to comment!