Subresource Integrity (SRI) lets you load a script or stylesheet from a third-party CDN while guaranteeing it has not been tampered with. This tool computes the correct SRI hash from the exact file contents, right in your browser.
Why SRI matters
When you include a script from a CDN, you are trusting that CDN completely. A compromised CDN, a BGP hijack, or a typosquatted package can serve modified JavaScript that exfiltrates session cookies, card numbers, or credentials to an attacker’s server. SRI breaks that attack: the browser cryptographically verifies the file before running it, blocking the tampered version even if every other security layer was bypassed.
SRI is supported in all major browsers and is one of the cheapest security wins available — adding one attribute to a tag.
How it works
You add an integrity attribute to a script or link tag:
<script
src="https://cdn.example.com/lib.min.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
When the browser downloads the file, it hashes the raw response body with the named algorithm and compares the digest to your integrity value. If they differ, the browser refuses to execute the file and logs a Content Security Policy violation.
This tool reads the bytes you paste or drop, calls crypto.subtle.digest() with SHA-256, SHA-384, and SHA-512, base64-encodes each digest, and formats them as algo-base64. Everything runs on your device via the Web Crypto API — no bytes are uploaded.
Getting the bytes exactly right
SRI hashes the response byte-for-byte. Any difference breaks the match:
- A trailing newline added by the CDN
- A byte-order mark in the file
- Re-minification or re-gzipping
- Content-Encoding transformations (make sure you hash the decoded bytes, not compressed bytes)
Best practice: fetch the file from the exact versioned URL, save it locally, hash that local copy, and pin the URL to that specific immutable version. Never pin to a @latest or @stable alias — those can silently change.
Checking what a CDN publishes
Many popular CDNs publish the SRI hash alongside the script tag on their websites. If you see a published hash there, use that and cross-verify with this tool by pasting the same file. Discrepancies indicate a problem.
If the CDN does not publish a hash, download the file with curl -o lib.js https://cdn.example.com/lib.min.js and paste its contents here.
Combining multiple hashes
You can list multiple algorithms separated by spaces:
integrity="sha256-abc… sha384-xyz…"
The browser validates against the strongest algorithm it supports. This is useful for forward compatibility — add SHA-512 now and older browsers fall back to SHA-384.
Common mistakes
- Using
crossorigin="use-credentials"instead ofcrossorigin="anonymous"for public CDN assets (this sends cookies with the request, which often fails on CDN CORS policies and also is unnecessary for public files). - Hashing a development/unminified build but loading the minified production file — the bytes differ, so the hash fails immediately.
- Forgetting to re-generate the hash when bumping a library version.