security-builders.fyi

SRI hash generator

Pin the exact bytes of a third-party script or stylesheet. Paste the content or pick a file, choose a hash algorithm, and copy the integrity attribute — so a tampered or compromised CDN can never run code you didn't ship.

Source

Hashed in your browser. The hash must match the file exactly as the host serves it (post-minification).
Used to fill in the example tags. Pin a versioned, immutable URL.

Hash algorithm choose one or more

sha384 is the recommended baseline. Selecting several emits them all — the browser enforces the strongest it supports.
<script>
     
     
    About Subresource Integrity
     
     Subresource Integrity
adds an integrity attribute to <script> and
<link rel="stylesheet"> tags. The browser fetches the resource,
      hashes the bytes it received, and runs it only if the digest matches. If a CDN is
      breached and serves altered JavaScript, the hash no longer matches and the browser
      refuses to execute it.

     
     
     
    Pick a strong hash
     
     sha384 is the recommended baseline. List several
          (sha256 sha384 sha512) and the browser enforces the strongest it
          understands.

     
     
     
    It needs CORS
     
    
SRI is only checked for resources fetched with CORS. Keep
crossorigin="anonymous" on the tag and make sure the host sends
Access-Control-Allow-Origin.

     
     
     
    Pin an immutable URL
     
    
Point at a versioned, never-changing file. If the bytes ever change the hash breaks
          and the resource stops loading — which is the point, but only if the URL is stable.