SRI Hash Generator

What is Subresource Integrity?

SRI is a new W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.

Learn more about how to use subresource integrity on MDN.


How is Subresource Integrity different to HTTPS?

TLS ensures that the connection between the browser and the server is secure. The resource itself may still be modified server-side by an attacker to include malicious content, yet still be served with a valid TLS certificate. SRI, on the other hand, guarantees that a resource hasn't changed since it was hashed by a web author.


How can I generate Integrity hashes?

Use the generator above or the following shell command:
openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A


Why do I need to include crossorigin="anonymous"?

When the request is not on the same origin the crossorigin attribute must be present to check the integrity of the file.
Without a crossorigin attribute, the browser will choose to 'fail-open' which means it will load the resource as if the integrity attribute was not set, effectively losing all the security SRI brings in the first place.

crossorigin="anonymous" results that no credentials are sent to the cross-origin site hosting the content. However, it will send an Origin HTTP header. If the server denies including the resource (by not setting the Access-Control-Allow-Origin HTTP header), the resource will not be used by the browser.
You can find more information on MDN.


Test your browser

Check out SRI on caniuse.com to see specific browser version support information.

To fully test your browser for subresource integrity support, please open this page.

Pass

Your browser supports SRI

Fail

Your browser does not support SRI