ToolBelt

Subresource Integrity Hash

Generate a sha256/384/512-prefixed SRI hash for a file or text.

Open tool

Overview

The Subresource Integrity hash generator computes the sha256-, sha384-, or sha512-prefixed base64 hash that goes in an HTML <script integrity="..."> or <link integrity="..."> attribute. Paste the file contents (or upload it), pick a hash, and the tool emits the ready-to-paste integrity attribute value.

It is built for front-end engineers pinning third-party CDN scripts, security reviewers auditing existing SRI attributes, and CSP-curious developers who want defence-in-depth against a CDN compromise. An SRI hash generator is the simplest way to produce the value without remembering the openssl dgst -binary | openssl base64 incantation.

How it works

Subresource Integrity, defined in the W3C SRI specification, lets HTML authors specify a cryptographic hash that a fetched resource must match. The browser computes the hash of the response body after decompression but before parsing, and rejects the resource if the hash does not match. The integrity attribute value is a space-separated list of <algorithm>-<base64-hash> tokens; the browser picks the strongest algorithm it supports.

The tool hashes the input bytes with SHA-256, SHA-384, and/or SHA-512, base64-encodes each digest (standard alphabet, with padding), and prepends the algorithm token. Browsers accept all three; SHA-384 is the current recommendation as a balance of security and compactness.

Examples

Input file: app.min.js (raw bytes)
Output:
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"

Input bytes: "console.log(1)\n"
sha256: sha256-Pq9hOdwwGoY6yLkMnaJTQXTPNDrJUR/gIVCEqJYBzd0=
sha384: sha384-3oTpkVRA5d5VEqxxR7gpHV+G8hOPI74E66/2N1l8WMl11uX4n14JD3tQ3UoO5Sho
sha512: sha512-...

HTML usage:
<script src="https://cdn.example.com/lib.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

FAQ

SHA-256, 384, or 512?

SHA-384 is the modern sweet spot — shorter than SHA-512 in base64 but with comfortable security margin. SHA-256 is also widely deployed; SHA-512 adds little practical benefit at the cost of longer attribute values.

Why does crossorigin="anonymous" matter?

CORS rules require the response to be fetched without credentials, and the server must send Access-Control-Allow-Origin, before the browser will compute and check the integrity hash. Without crossorigin, the integrity attribute is effectively ignored.

What if the resource changes?

The hash will not match and the browser will refuse to execute the script. That is exactly the point — SRI protects against unauthorised modifications, even if the file is changed at the CDN itself. Updating the resource means updating every page that references it with a fresh hash.

Can I include multiple hashes?

Yes. List them space-separated in the attribute value. Browsers verify against the strongest one they support, letting you publish both SHA-256 and SHA-384 for forward compatibility.

Try Subresource Integrity Hash

An unhandled error has occurred. Reload ×