Generate Subresource Integrity hashes for scripts and stylesheets
Subresource Integrity (SRI) allows browsers to verify that resources from the CDN have not been changed.
If the file is modified (by an attacker), the browser will refuse to load, protecting users from malicious code.
Tool to generate SRI (Subresource Integrity) hashes for JavaScript and CSS files from a free online CDN. Supports SHA-256, SHA-384, SHA-512 algorithms. Automatically generate script tag and link tag with integrity attribute. Protect your website from CDN compromise and supply chain attacks. Fetch resource and calculate hash directly in the browser. Copy tags with one click. Useful for web developers and security engineers.
Subresource Integrity (SRI) is security feature allows browsers to verify that resources (JS, CSS) from CDN don't changed. When you loads script from third-party CDN, there is risk: CDN is hacked and file is injected with malicious code, Man-in-the-middle attack changes file, CDN serves wrong version. SRI solves by: Browser calculates hash belonging to downloaded file, compares with hash in integrity attribute, if Are does not match, browser rejects execute. This is defense-in-depth important for supply chain security. Many security standards (CSP, PCI-DSS) recommend requiring SRI for third-party resources.
SRI (Subresource Integrity) is a W3C specification that allows browsers to verify the integrity of resources fetched from CDN. The browser calculates the cryptographic hash of the downloaded file and compares it with the hash in the integrity attribute. If there is no match, the browser blocks the resource. This protects against CDN compromise, MITM attacks, and accidental file corruption.
SHA-384 is recommended by W3C and is the default of many tools. SHA-256 is also secure and has a shorter hash. SHA-512 is the most secure but has a longer hash. In practice, all three are secure enough for SRI. SHA-384 is good balance. Browsers support all 3 algorithms.
When using SRI, the browser needs to access the response body to calculate the hash. With cross-origin requests (CDN), CORS is needed. crossorigin='anonymous' tells browser to make CORS request without credentials. If this attribute is missing, SRI will fail for cross-origin resources. Most CDNs have CORS enabled.
The tool needs to fetch files to calculate hash. If the CDN does not enable CORS, the browser blocks the request. Most major CDNs (cdnjs, unpkg, jsdelivr) have CORS enabled. If you get an error: Check if the URL is correct, try another CDN, or use a command line tool like shasum.
Minimal. The browser needs to calculate the hash of the downloaded file, but modern browsers are very fast. Hash calculation is O(n) with file size. With typical JS/CSS files (a few hundred KB), the overhead is negligible. Security benefit outweighs tiny performance cost.
SRI fails when: File content changes (CDN updates version, file is tampered). Hash algorithm does not match. integrity attribute syntax is wrong. CORS is not enabled. When it fails, the browser logs errors in the console and does not execute script / apply styles. The website can break so it needs to be tested carefully.
Technically is not required because same-origin resources are already trusted. However, SRI is still useful to: Detect accidental file changes, Ensure correct version in CI/CD, Defense-in-depth if the server is compromised. Many teams use SRI for all resources.
When updating the library version, you must regenerate the SRI hash because the file content changes. Workflow: Update URL with new version, Generate new SRI hash, Update integrity attribute. Many build tools (webpack-subresource-integrity, vite) automatically generate SRI. Or use lockfile to pin exact versions.
We not only design websites, but also help businesses build strong digital brands. Providing comprehensive website design services from design to SEO optimization. Please contact Mavis Digital immediately to create breakthrough, effective and sustainable technology solutions for your business in Ho Chi Minh.