SRI Hash Generator

Generate Subresource Integrity hashes for external JS/CSS.

External JS and CSS loaded from a CDN can run malicious code on your site if the origin server is tampered with. Subresource Integrity (SRI) is a security standard that pins a cryptographic hash of the file so the browser only executes it when the bytes it actually received match. This SRI hash generator turns pasted file contents into an integrity hash using the sha256, sha384 or sha512algorithm.

Add the generated integrity attribute together with crossorigin="anonymous"and the browser will refuse to load the resource if even a single byte changes. All hashing runs entirely in your browser via the Web Crypto API, so the file contents never leave your machine.

File contentsPaste the exact contents of the external JS/CSS file. Use the final (bundled/minified) artifact you will ship.Hash algorithmUse sha384 unless you have a specific reason not to.

Paste file contents to generate the integrity hash.

How is an SRI hash built?

An SRI hash is the full file bytes run through a hash function, the digest Base64-encoded, and prefixed with the algorithm name. For example:sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC. You can list multiple algorithm hashes separated by spaces; the browser picks the strongest one it supports.

sha256 — most widely compatible but the smallest security margin.
sha384 — a good balance of security and compatibility; the recommended default.
sha512 — the strongest and longest option.

Applying it in HTML

For external scripts, set both integrity and crossorigin on the<script> tag. Stylesheets work the same way on<link rel="stylesheet">.

Paste the exact file contents you will ship (the minified/bundled final artifact).
Copy the generated integrity value.
Always include crossorigin="anonymous" — without it the check does not run.

When auditing third-party resources, it also helps to review their response headers with the security headers checker to confirm CSP, HSTS and the like are configured alongside integrity.

Frequently asked questions

Why is the crossorigin attribute required?

SRI verification only applies to resources fetched with CORS. Without crossorigin="anonymous" the browser skips the integrity check and ignores the integrity attribute. The CDN must also return appropriate CORS headers (Access-Control-Allow-Origin).

What happens if the file changes even slightly?

The hash no longer matches, so the browser blocks the resource and does not execute or apply it. After updating the CDN file you must regenerate the integrity value for the new version, otherwise legitimate updates are blocked too.

Which algorithm should I choose?

Use sha384 unless you have a specific reason not to. It balances strength and length well and is supported by every modern browser. Pick sha512 for stronger guarantees, or sha256 when legacy compatibility matters most.

Are the pasted file contents sent anywhere?

No. Hashing runs locally with the browser's built-in Web Crypto API (crypto.subtle.digest). Your input is never transmitted to or stored on a server, so even sensitive code is handled safely.

Can I enter a URL to fetch and hash automatically?

This tool takes pasted file contents directly. Fetching arbitrary URLs in the browser runs into CORS and security restrictions, so we recommend pasting the exact final artifact (the bundled/minified file).

Related tools

Web Security →

CSP Generator

Build a Content-Security-Policy header for your site's resources.

Password Policy Generator

Generate a password policy and its rules for your service.

Security Headers Checker

Check and grade security headers like HSTS, CSP and X-Frame-Options.

Cookie Security Check

Check Secure, HttpOnly and SameSite flags on response cookies.

security.txt Checker

Check for /.well-known/security.txt and its required fields.

Mixed Content Checker

Find insecure http resources loaded on an HTTPS page.