Pinning third-party scripts and styles
Subresource Integrity (SRI) lets a page declare the cryptographic hash a
<script> or <link rel="stylesheet"> resource must match. If a CDN is
compromised or the file is altered in transit, the browser refuses to execute
or apply it. This reference covers the integrity attribute syntax, the
allowed hash algorithms and the crossorigin requirement, with a live parser.
How it works
An integrity value is one or more space-separated tokens. Each token is an
algorithm prefix and a base64-encoded digest of the resource’s raw bytes:
<script
src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
The prefix is sha256-, sha384- or sha512-. The base64 payload decodes to
a digest of 32, 48 or 64 bytes respectively, so the encoded string has a fixed
length per algorithm (44, 64 and 88 base64 characters including = padding).
On download the browser hashes the bytes with the named algorithm and compares
to the pinned digest; a mismatch blocks the resource.
Why SRI matters for CDN-hosted scripts
A CDN delivering a JavaScript library is a supply-chain trust point. If the CDN’s storage is compromised — which has happened to several popular CDN hosts — the attacker can replace a library with a version that steals credentials or injects malware, and every site loading the file is immediately affected. SRI makes this attack class ineffective: even if the CDN delivers a modified file, your users’ browsers will refuse to execute it because the hash does not match the one you embedded at build time.
This is distinct from HTTPS, which only guarantees the file came from the CDN, not that the CDN itself was not compromised. SRI pins the exact bytes, so the security guarantee extends through the CDN to the original file.
Generating a hash on the command line
The openssl command produces a correct SRI hash directly:
openssl dgst -sha384 -binary lib.js | openssl base64 -A
Prepend sha384- to the output and you have the integrity token. For SHA-512 substitute sha512. Most CDN providers — jsDelivr, cdnjs, Bootstrap’s CDN — display pre-computed SRI hashes alongside their embed codes, so you rarely need to compute them manually.
Multiple hashes and algorithm migration
You can list hashes for more than one algorithm separated by spaces. The browser accepts the resource if any one hash matches and uses the strongest algorithm present when multiple match. This lets you ship sha256- sha384- together during an algorithm transition: old browsers that support only SHA-256 accept it, while modern browsers verify the stronger SHA-384.
Tips and notes
- Generate a hash with
openssl dgst -sha384 -binary file.js | openssl base64 -A. - Always pair cross-origin SRI with
crossorigin="anonymous"or verification is skipped and the resource is blocked. - List several hashes (space-separated) to migrate algorithms without breaking older builds.
- Recompute the hash on every file change — even a whitespace edit changes the digest.
- SRI covers
scriptandlink; it does not protect images or other element types. - If the CDN uses cache-busting filenames (e.g.,
lib.v2.1.3.js), update the hash every time you update the version — the hash from the old file will not match.