Generate SRI Hash with SHA-384

SRI with SHA-384 — The Recommended Default

SHA-384 is the recommended algorithm for Subresource Integrity according to the W3C specification. It strikes the best balance between security margin and performance, producing a 384-bit (48-byte) digest that is Base64-encoded into a 64-character string.

Why SHA-384 Is the Default

The W3C SRI specification recommends SHA-384 for several reasons:

• Length-extension resistance: SHA-384 is inherently immune to length-extension attacks because it truncates the output of SHA-512. SHA-256 and SHA-512 do not truncate, making them theoretically susceptible (though no practical attack exists).
• 64-bit optimization: On modern 64-bit processors, SHA-384 is often faster than SHA-256 because it uses SHA-512's internal 64-bit word operations, which map directly to CPU instructions.
• Sufficient digest size: 384 bits provides a security level of 192 bits against collision attacks, far beyond any foreseeable computational capability.

Generating a SHA-384 SRI Hash

Using the Web Crypto API:

const data = new TextEncoder().encode(fileContent);
const hashBuffer = await crypto.subtle.digest("SHA-384", data);
const base64 = btoa(String.fromCharCode(...new Uint8Array(hashBuffer)));
const integrity = `sha384-${base64}`;

The result:

<script
  src="https://cdn.example.com/app.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxANb..."
  crossorigin="anonymous"
></script>

Major CDN Adoption

All major CDNs provide SHA-384 integrity hashes:

• cdnjs — displays SRI hashes on every library page
• jsDelivr — includes SHA-384 hashes in API responses
• unpkg — supports integrity hash computation via query parameter
• Bootstrap CDN — provides copy-paste snippets with integrity attributes

Verification Process

When a browser encounters a sha384- integrity attribute, it downloads the resource, computes the SHA-384 hash of the response body, and compares the Base64 digests byte-by-byte. Any difference — even a single byte — causes the resource to be blocked.