Subresource Integrity (SRI) Hash Generator
Paste the contents of a JavaScript or CSS file to generate its Subresource Integrity hash and a ready-to-paste script or link tag. The hash is computed in your browser with the Web Crypto API, so nothing is uploaded. Use it to pin third-party assets so the browser refuses to run a file that has been tampered with.
How to generate an SRI hash
- Paste the exact contents of the JS or CSS file you want to pin into the box.
- Pick a hash algorithm (sha384 is recommended) and, optionally, the asset URL and tag type.
- Copy the integrity value or the full script or link tag into your HTML.
Examples
SHA-384 hash of a small script
content alert('hi'), algorithm sha384integrity="sha384-..." on <script src="app.js" crossorigin="anonymous">
SHA-256 hash of 'abc'
content abc, algorithm sha256
sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=
Frequently asked questions
Is my file uploaded anywhere?
No. The hash is computed entirely in your browser using the Web Crypto API. The asset contents you paste never leave the page and are not sent to a server or logged anywhere.
What is Subresource Integrity and why use it?
Subresource Integrity (SRI) lets you add an integrity attribute to a script or link tag containing a cryptographic hash of the file you expect. Before running the asset, the browser hashes what it downloaded and compares it. If a CDN is compromised or the file is altered in transit, the hash will not match and the browser refuses to load it, protecting your users from injected malicious code.
Which hash algorithm should I pick?
sha384 is the common recommendation and the default here: it is strong and is what most CDNs publish. sha256 and sha512 are also valid SRI algorithms. Whichever you choose, the integrity value must be generated from the exact bytes of the file you ship, including any minification.
Why does the tag include crossorigin="anonymous"?
The integrity check only runs when the browser can read the response, which for cross-origin assets requires CORS. Adding crossorigin="anonymous" makes the browser send an anonymous CORS request so the server response can be validated. Without it, a cross-origin asset is blocked rather than checked, so the attribute is effectively required for CDN-hosted files.
Does the hash change if I edit or re-minify the file?
Yes. SRI hashes the exact byte content, so any change, even one character or a different minifier, produces a different hash. Always regenerate the integrity value whenever you update the asset, and pin a specific version rather than a moving latest URL.
Can I put more than one hash in the integrity attribute?
Yes. The integrity attribute accepts a space-separated list of hashes, and the browser accepts the resource if any one of them matches. That is useful during a rollover when you are migrating between two versions of a file.
Related tools
Security Headers Analyzer
Paste raw HTTP response headers and get a graded report of your security headers, with severity ratings and copy-paste fixes. Runs in your browser.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.
Base64 Encode
Encode text to Base64 online. UTF-8 safe, handles emoji and accents, with an optional URL-safe (base64url) mode. Runs in your browser, nothing uploaded.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.