What does the integrity attribute do?

It pins a cryptographic hash of the exact resource bytes the browser expects. After download the browser hashes the file and compares; if it does not match, the resource is blocked. This protects against a tampered or swapped CDN file.

Which hash algorithms are supported?

SHA-256, SHA-384 and SHA-512, written as the prefixes sha256-, sha384- and sha512-. SHA-384 is the common recommendation. SHA-1 and MD5 are not allowed for SRI.

Why is crossorigin required?

For cross-origin resources the browser only verifies integrity if the request is made with CORS. Add crossorigin="anonymous" so the response is fetched anonymously and the bytes are readable for hashing; otherwise the resource is blocked as opaque.

Can I list multiple hashes?

Yes. Separate hashes with spaces, optionally for different algorithms. The browser accepts the resource if any one hash matches and prefers the strongest algorithm present. This lets you roll algorithms or pin multiple acceptable versions.

Does this tool fetch or hash my files?

No. It only parses and validates the structure of an integrity string locally in your browser. Nothing is uploaded or fetched.

Subresource Integrity (SRI) Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Pinning third-party scripts and styles

Subresource Integrity (SRI) lets a page declare the cryptographic hash a <script> or <link rel="stylesheet"> resource must match. If a CDN is compromised or the file is altered in transit, the browser refuses to execute or apply it. This reference covers the integrity attribute syntax, the allowed hash algorithms and the crossorigin requirement, with a live parser.

How it works

An integrity value is one or more space-separated tokens. Each token is an algorithm prefix and a base64-encoded digest of the resource’s raw bytes:

<script
  src="https://cdn.example.com/lib.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>

The prefix is sha256-, sha384- or sha512-. The base64 payload decodes to a digest of 32, 48 or 64 bytes respectively, so the encoded string has a fixed length per algorithm (44, 64 and 88 base64 characters including = padding). On download the browser hashes the bytes with the named algorithm and compares to the pinned digest; a mismatch blocks the resource.

Tips and notes

Generate a hash with openssl dgst -sha384 -binary file.js | openssl base64 -A.
Always pair cross-origin SRI with crossorigin="anonymous" or verification is skipped and the resource is blocked.
List several hashes (space-separated) to migrate algorithms without breaking older builds.
Recompute the hash on every file change — even a whitespace edit changes the digest.
SRI covers script and link; it does not protect images or other element types.