What Is Subresource Integrity (SRI)?

Subresource Integrity (SRI) is a security feature that allows browsers to verify that files loaded from external sources — such as CDNs — have not been altered or compromised. When you add an integrity attribute to a <script> or <link> tag, the browser compares the hash of the downloaded file against the expected hash. If they don't match, the browser blocks the resource.

Why Use SRI?

Loading JavaScript or CSS from third-party CDNs is convenient, but it introduces a security risk. If the CDN is compromised, attackers could inject malicious code into your website. SRI eliminates this risk by ensuring that only the exact, verified version of a file is executed.

Prevent Supply Chain Attacks

Block tampered scripts from running on your site and protect against compromised CDN resources.

Protect User Data

Stop injected code from stealing credentials, session tokens, or sensitive user information.

Comply with Security Standards

SRI is recommended by OWASP and the W3C as a web security best practice.

How Does It Work?

SRI uses cryptographic hash functions (SHA-256, SHA-384, or SHA-512) to create a fingerprint of the file content. This hash is added to the HTML tag as an integrity attribute, along with crossorigin="anonymous" to enable CORS-based verification.

How it works: When the browser downloads a resource, it calculates the hash of the received file and compares it to the integrity hash you provided. If they match, the resource is executed. If not, the browser blocks it completely.

How to Use the SRI Hash Generator

Paste File Content

Copy the full content of the JavaScript or CSS file you want to protect, and paste it into the Content textarea. The hash is generated automatically as you type or paste.

Choose an Algorithm

Select a hash algorithm from the toolbar. SHA-384 is selected by default and is the recommended choice for SRI. You can also use SHA-256 or SHA-512 depending on your requirements.

Set the Tag Type

Choose whether the resource is a <script> (JavaScript) or <link> (CSS stylesheet). If you enter a URL with a .js or .css extension, the tag type is detected automatically.

Add a Resource URL (Optional)

Enter the CDN URL of the resource in the Resource URL field. This URL will be used in the generated HTML tag's src or href attribute. If left empty, a placeholder URL is used.

Copy the Output

Copy either the integrity hash alone or the complete HTML tag using the copy buttons. Paste the tag directly into your HTML to enable SRI protection.

Pro tip: Always test your SRI-protected resources in a development environment first to ensure the hash matches and the resource loads correctly.

Key Features

Multiple Hash Algorithms

Generate SRI hashes using SHA-256, SHA-384, or SHA-512. SHA-384 is the default and recommended algorithm per the W3C SRI specification.

SHA-256 for basic security
SHA-384 (recommended)
SHA-512 for maximum strength
Instant algorithm switching

Auto-Detect Tag Type

When you enter a resource URL, the tool automatically detects whether it's a JavaScript file or CSS stylesheet and selects the appropriate tag type.

Detects .js files automatically
Detects .css files automatically
Manual override available
Smart URL parsing

Ready-to-Use HTML Output

Get a complete HTML tag with the integrity and crossorigin attributes already included. Simply copy and paste it into your HTML document.

Complete <script> tags
Complete <link> tags
CORS attributes included
No manual editing needed

One-Click Copy

Copy the integrity hash value or the full HTML tag with a single click. A visual confirmation appears when the content is copied to your clipboard.

Copy hash only
Copy complete HTML tag
Visual confirmation
Instant clipboard access

Client-Side Processing

All hash computation is performed entirely in your browser using the Web Crypto API. Your file content is never uploaded to any server.

100% browser-based
No server uploads
Complete privacy
Works offline

Real-Time Generation

Hash values are calculated instantly as you type or paste content. No need to click generate buttons or wait for processing.

Instant hash calculation
Live preview updates
No delays or waiting
Efficient processing

Frequently Asked Questions

Which algorithm should I use for SRI?

SHA-384 is recommended by the W3C and is the most widely used algorithm for SRI. It provides a strong balance between security and performance. SHA-256 and SHA-512 are also supported by all modern browsers.

Best practice: Use SHA-384 unless you have specific requirements for SHA-256 (smaller hash size) or SHA-512 (maximum security).

Do I need the crossorigin attribute?

Yes. The crossorigin="anonymous" attribute is required for SRI to work with resources loaded from a different origin (such as a CDN). Without it, the browser cannot verify the integrity of cross-origin resources.

The anonymous value means that no credentials (cookies, HTTP authentication) are sent with the request, which is the standard configuration for public CDN resources.

What happens if the hash doesn't match?

If the downloaded file's hash doesn't match the integrity attribute, the browser will refuse to execute the script or refuse to apply the stylesheet. This protects your site from loading compromised files.

Important: The browser will also log an error in the console, which helps you identify when a resource has been modified or when you need to update the integrity hash after a legitimate file update.

Does the CDN need to support CORS?

Yes. The server hosting the resource must include the Access-Control-Allow-Origin header for SRI verification to work. Most popular CDNs (jsDelivr, cdnjs, unpkg) already support CORS.

If you're using a CDN that doesn't support CORS, SRI verification will fail and the resource won't load. In this case, you'll need to either switch to a CORS-enabled CDN or host the resource on your own domain.

Is my content sent to a server?

No. All hashing is done locally in your browser using the Web Crypto API. Your file content never leaves your device.

Privacy guarantee: This tool works completely offline once loaded. You can even disconnect from the internet and continue generating SRI hashes for your files.

Can I use multiple algorithms in one tag?

Yes, the SRI specification allows multiple hashes separated by spaces (e.g., sha256-abc sha384-xyz). The browser will use the strongest algorithm it supports. This tool generates one hash at a time — you can combine them manually if needed.

Using multiple hashes provides backward compatibility with older browsers while ensuring newer browsers use the strongest available algorithm.