DevToolbox

SRI Hash Generator

Generate Subresource Integrity hashes for script and link tags. Compute SHA-256, SHA-384, and SHA-512 integrity attributes instantly.

About This Tool

The SRI Hash Generator computes Subresource Integrity hashes for JavaScript and CSS files directly in your browser. SRI is a W3C security standard that lets browsers verify that resources fetched from CDNs or third-party servers have not been tampered with. By adding an integrity attribute to your <script> or <link> tags, browsers will refuse to execute the resource if the hash does not match, protecting your site from supply-chain attacks.

This tool generates SHA-256, SHA-384, and SHA-512 hashes simultaneously. SHA-384 is the most commonly used algorithm for SRI because it offers a good balance between security and performance, and it is the default recommended by the W3C specification. All three algorithms are computed using the browser's built-in Web Crypto API, which provides hardware-accelerated, constant-time implementations — the same API used by our Hash Generator for general-purpose hashing.

SRI hashes are essential when loading resources from public CDNs like cdnjs, jsDelivr, or unpkg. If an attacker compromises the CDN and modifies the hosted file, the SRI hash will no longer match and the browser will block the resource. This is especially important for security-sensitive applications. For additional protection, consider setting a Content Security Policy header that enforces SRI via the require-sri-for directive.

You can paste file content directly, upload a .js or .css file via drag-and-drop, and optionally provide the resource URL to get a ready-to-paste HTML tag. The tool also shows the input size so you can monitor file weight. All processing happens client-side — your code and files are never transmitted to any server. If you need to generate meta tags for your page alongside SRI tags, check out our Meta Tag Generator.

How to Use

  1. Paste the JavaScript or CSS file content into the File Content textarea, or drag and drop a .js / .css file.
  2. Optionally enter the Resource URL (e.g. a CDN URL) to include it in the generated HTML tag.
  3. Click Generate All or press Ctrl+Enter to compute SHA-256, SHA-384, and SHA-512 hashes simultaneously.
  4. Toggle between <script> and <link> tag output using the badges at the top.
  5. Click the copy button next to any integrity hash or HTML tag to copy it to your clipboard.
  6. Use Ctrl+Shift+C to quickly copy the SHA-384 integrity hash.
  7. Click Clear to reset all inputs and results.

FAQ

Is my data safe?

Yes. All SRI hash computation runs entirely in your browser using the Web Crypto API. Your file content, source code, and URLs are never sent to any server, stored in a database, or logged by any analytics service.

Which SHA algorithm should I use for SRI?

The W3C recommends SHA-384 as the default for SRI. It provides a strong security margin while being efficient to compute. SHA-256 and SHA-512 are also valid and supported by all modern browsers, but SHA-384 is the most widely used in practice.

What is Subresource Integrity (SRI)?

SRI is a security feature that allows browsers to verify that files fetched from third-party servers (like CDNs) have not been modified. You include a cryptographic hash in the integrity attribute of a script or link tag, and the browser checks the downloaded file against that hash before executing it.

Do I need the crossorigin attribute?

Yes. When using SRI with resources loaded from a different origin (e.g., a CDN), you must include crossorigin="anonymous" in your tag. Without it, the browser cannot perform the integrity check on cross-origin resources and will block them.

Does SRI work with all browsers?

SRI is supported by all modern browsers including Chrome, Firefox, Safari, Edge, and Opera. Internet Explorer does not support SRI, but it will simply ignore the integrity attribute and load the resource normally, so adding SRI does not break backward compatibility.

Can I use multiple hash algorithms in one integrity attribute?

Yes. You can include multiple hashes separated by spaces, such as integrity="sha256-abc... sha384-def...". The browser will use the strongest algorithm it supports. This allows for a graceful upgrade path when transitioning between algorithms.

Related Tools

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.

CSP Header Generator

Build Content Security Policy headers visually with directive presets and real-time policy output.

HMAC Generator

Generate HMAC signatures using MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with hex or Base64 output.

Meta Tag Generator

Generate HTML meta tags, Open Graph, and Twitter Card tags with live SNS preview.

Nginx Config Generator

Generate Nginx server blocks visually. Configure reverse proxy, SSL, static files, and redirects with a GUI.