SRI Hash for jQuery CDN

Q: SRI Hash for jQuery CDN

## jQuery SRI Hashes for Secure CDN Loading jQuery remains one of the most widely-used JavaScript libraries, loaded from CDNs on millions of websites. Given its prevalence, jQuery CDN files are high-value targets for supply-chain attacks. Adding SRI ensures that even if a CDN is compromised, your users are protected. ### Official jQuery CDN with SRI jQuery's official CDN (code.jquery.com) provides SRI hashes for every release: html <script src="https://code.jquery.com/jquery-3.7.1.min.js"

Get the correct SRI integrity hash for jQuery loaded from official CDNs. Copy-paste ready script tags for jQuery 3.x with SHA-384 integrity attributes included.

CDN Security

Detailed Explanation

jQuery SRI Hashes for Secure CDN Loading

jQuery remains one of the most widely-used JavaScript libraries, loaded from CDNs on millions of websites. Given its prevalence, jQuery CDN files are high-value targets for supply-chain attacks. Adding SRI ensures that even if a CDN is compromised, your users are protected.

Official jQuery CDN with SRI

jQuery's official CDN (code.jquery.com) provides SRI hashes for every release:

<script
  src="https://code.jquery.com/jquery-3.7.1.min.js"
  integrity="sha384-1H217gwSVyLSIfaLxHbE7dRb3v4mYCKbpQvzx0cegeju1MVsGrX5xXxAvs/HgeFs"
  crossorigin="anonymous"
></script>

Alternative CDNs

jQuery is also available from other CDNs, each serving the same file content and therefore producing the same SRI hash:

Google CDN: https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js
cdnjs: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js
jsDelivr: https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js

Because SRI hashes are computed from file content, the same hash works across CDNs only if the files are byte-for-byte identical. Always verify by computing the hash yourself.

Generating Your Own jQuery SRI Hash

Never blindly trust published hashes. Generate your own:

Download the file: curl -O https://code.jquery.com/jquery-3.7.1.min.js
Compute the hash: cat jquery-3.7.1.min.js | openssl dgst -sha384 -binary | openssl base64 -A
Compare with the published hash
Use this tool to paste the file content and verify instantly

Version Pinning Is Essential

SRI hashes are tied to specific file content. If you use a URL like jquery@3 (without a patch version), the CDN may serve a newer version whose content does not match your hash, causing the script to be blocked. Always pin exact versions when using SRI:

jquery@3.7.1 (pinned, SRI-safe)
jquery@3.7 (risky, minor updates may change content)
jquery@3 (dangerous, major range)
jquery@latest (incompatible with SRI)

Migrating Legacy jQuery Sites

If you maintain a site that loads jQuery without SRI, adding the integrity attribute is a quick win for security. No code changes are required — just add two attributes to the existing <script> tag.

Use Case

Any website that loads jQuery from a CDN should add SRI. This includes legacy applications, WordPress sites with custom themes, marketing landing pages, and internal tools that rely on jQuery for DOM manipulation and AJAX. jQuery's ubiquity makes it the most impactful single library to protect with SRI.

Try It — SRI Hash Generator

Open full tool →