Subresource Integrity (SRI) Hash Generator

Paste or drop a JS/CSS file and get the sha384 SRI hash for your script or link tag

Paste file contents or drop a file and compute SHA-256, SHA-384, and SHA-512 hashes with the Web Crypto API, producing the correctly formatted integrity attribute for script and link tags. Subresource Integrity stops a compromised CDN from serving a tampered script, with no server-side build step. Everything runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is Subresource Integrity?

SRI lets the browser verify that a file fetched from a CDN matches a hash you embedded in the tag. If a compromised or malicious CDN alters the file by even one byte, the hash mismatches and the browser refuses to run it.

Subresource Integrity (SRI) lets you load a script or stylesheet from a third-party CDN while guaranteeing it has not been tampered with. This tool computes the correct SRI hash from the exact file contents, right in your browser.

Why SRI matters

When you include a script from a CDN, you are trusting that CDN completely. A compromised CDN, a BGP hijack, or a typosquatted package can serve modified JavaScript that exfiltrates session cookies, card numbers, or credentials to an attacker’s server. SRI breaks that attack: the browser cryptographically verifies the file before running it, blocking the tampered version even if every other security layer was bypassed.

SRI is supported in all major browsers and is one of the cheapest security wins available — adding one attribute to a tag.

How it works

You add an integrity attribute to a script or link tag:

<script
  src="https://cdn.example.com/lib.min.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>

When the browser downloads the file, it hashes the raw response body with the named algorithm and compares the digest to your integrity value. If they differ, the browser refuses to execute the file and logs a Content Security Policy violation.

This tool reads the bytes you paste or drop, calls crypto.subtle.digest() with SHA-256, SHA-384, and SHA-512, base64-encodes each digest, and formats them as algo-base64. Everything runs on your device via the Web Crypto API — no bytes are uploaded.

Getting the bytes exactly right

SRI hashes the response byte-for-byte. Any difference breaks the match:

  • A trailing newline added by the CDN
  • A byte-order mark in the file
  • Re-minification or re-gzipping
  • Content-Encoding transformations (make sure you hash the decoded bytes, not compressed bytes)

Best practice: fetch the file from the exact versioned URL, save it locally, hash that local copy, and pin the URL to that specific immutable version. Never pin to a @latest or @stable alias — those can silently change.

Checking what a CDN publishes

Many popular CDNs publish the SRI hash alongside the script tag on their websites. If you see a published hash there, use that and cross-verify with this tool by pasting the same file. Discrepancies indicate a problem.

If the CDN does not publish a hash, download the file with curl -o lib.js https://cdn.example.com/lib.min.js and paste its contents here.

Combining multiple hashes

You can list multiple algorithms separated by spaces:

integrity="sha256-abc… sha384-xyz…"

The browser validates against the strongest algorithm it supports. This is useful for forward compatibility — add SHA-512 now and older browsers fall back to SHA-384.

Common mistakes

  • Using crossorigin="use-credentials" instead of crossorigin="anonymous" for public CDN assets (this sends cookies with the request, which often fails on CDN CORS policies and also is unnecessary for public files).
  • Hashing a development/unminified build but loading the minified production file — the bytes differ, so the hash fails immediately.
  • Forgetting to re-generate the hash when bumping a library version.