\n\n\nThe browser evaluates the hashes and uses the strongest algor"}},{"@type":"Question","name":"When is this useful?","acceptedAnswer":{"@type":"Answer","text":"Multiple SRI hashes are valuable during CDN migration when you need to accept both old and new file versions temporarily, during algorithm upgrades from SHA-256 to SHA-384, and in enterprise environments where security policies require dual-algorithm verification. They are also useful in blue-green deployments where different CDN nodes may serve slightly different file versions."}}]}

Using Multiple SRI Hashes (Fallback)

Learn how to specify multiple hash algorithms in a single SRI integrity attribute for fallback and forward compatibility. Understand browser hash selection behavior.

Implementation

Detailed Explanation

Multiple Hashes in SRI Integrity Attributes

The SRI specification allows you to include multiple hash values in a single integrity attribute, separated by spaces. This enables algorithm fallback, forward compatibility, and gradual migration between hash algorithms.

Syntax

<script
  src="https://cdn.example.com/lib.js"
  integrity="sha256-abc123... sha384-def456... sha512-ghi789..."
  crossorigin="anonymous"
></script>

The browser evaluates the hashes and uses the strongest algorithm it supports.

How Browsers Select the Hash

When multiple hashes are present, the browser:

Identifies all hash algorithms in the attribute
Selects the strongest algorithm (SHA-512 > SHA-384 > SHA-256)
Computes the hash using that algorithm
Compares against all hashes of that algorithm strength
Passes if any hash of the strongest algorithm matches

This means that if you include both sha256-... and sha384-..., the browser will only check the SHA-384 hash and ignore the SHA-256 one.

Use Case: Algorithm Migration

When migrating from SHA-256 to SHA-384:

<!-- Phase 1: Add SHA-384 alongside SHA-256 -->
<script
  integrity="sha256-oldHash... sha384-newHash..."
  crossorigin="anonymous"
  src="..."
></script>

<!-- Phase 2: Remove SHA-256 (browser was already ignoring it) -->
<script
  integrity="sha384-newHash..."
  crossorigin="anonymous"
  src="..."
></script>

Use Case: Multiple Valid Files

Multiple hashes of the same algorithm allow you to accept different valid versions of a file:

<!-- Accept either the original or the patched version -->
<script
  integrity="sha384-originalHash... sha384-patchedHash..."
  crossorigin="anonymous"
  src="..."
></script>

This is useful during deployments when a CDN may serve either version during cache propagation.

Limitations

Performance: The browser computes only one hash (the strongest algorithm), so multiple hashes have negligible performance impact.
No per-algorithm fallback: You cannot say "try SHA-384 first, fall back to SHA-256 if the browser does not support it." All modern browsers support all three algorithms.
Whitespace sensitivity: Hash values are separated by spaces. No commas, no semicolons.

Best Practice

For most applications, a single SHA-384 hash is sufficient. Use multiple hashes only when you have a specific need: algorithm migration, multi-version acceptance during deployment, or compliance requirements mandating multiple algorithm coverage.

Use Case

Multiple SRI hashes are valuable during CDN migration when you need to accept both old and new file versions temporarily, during algorithm upgrades from SHA-256 to SHA-384, and in enterprise environments where security policies require dual-algorithm verification. They are also useful in blue-green deployments where different CDN nodes may serve slightly different file versions.

Try It — SRI Hash Generator

Open full tool →