Subresource Integrity (SRI)
ClientSRI lets browsers refuse a script or stylesheet when its bytes differ from a declared digest. This page hashes your input with SHA-256, SHA-384, and SHA-512 via Web Crypto and formats each result as sha256-… / sha384-… / sha512-… base64 tokens for integrity attributes.
Related tools
For arbitrary file bytes without building HTML tags, use file checksum (hex digests and more algorithms). For pasted text hashes outside the SRI format, open the crypto workspace.
Subresource Integrity inputs
?
Browsers compare the fetched resource bytes to the hash in integrity. Use crossorigin="anonymous" on script / link when the response is CORS-exposed, as required for SRI checks.
Common use cases
- Pin a third-party script or stylesheet after downloading it once—paste the bytes you will actually serve and copy the matching integrity token.
- Compare SRI output against your bundler or openssl output when debugging a mismatch between dev and minified builds.
- Generate all three common algorithms in one pass and pick the one your HTML policy or framework documents.
- Teach front-end security: show how a single changed byte breaks the integrity match in the browser.
Common mistakes to avoid
Hashing source from disk but serving gzip or brotli from the CDN
The browser verifies the decoded response body (or per-fetch bytes per spec). Always hash the same representation users receive—often the uncompressed file bytes for static hosting.
Omitting crossorigin on CORS-static assets
SRI checks require a CORS-enabled response for cross-origin resources; anonymous is typical for public CDNs.
Using hex digests from openssl -hex instead of base64
The integrity attribute uses base64 of the raw digest, not hex. This page emits the exact token format browsers expect.
FAQ
Is my file uploaded?
No. File mode reads with FileReader locally; text mode hashes UTF-8 bytes only in your tab.
Which algorithm should I use?
SHA-256 is the usual default. SHA-384 and SHA-512 are supported for policies that require wider hashes.
Can I prefill pasted source?
Yes—?q= or ?qb= fills the text workspace (UTF-8), same as other Toolcore single-field tools.
Common search terms
Phrases people search for that match this tool. See the full long-tail keyword index.
- subresource integrity hash generator online
- sri sha256 integrity attribute browser
- calculate integrity sha384 base64 local
- script tag integrity crossorigin anonymous
More tools
Related utilities you can open in another tab—mostly client-side.
File checksum & hash
ClientSHA-256, SHA-512, MD5, CRC-32, and more for a local file—verify downloads without uploading.
Encrypt & decrypt
ClientEncrypt, decrypt, hash (AES, DES, RC4, Rabbit, TripleDES, MD5, SHA) and Base64—client-side.
Base64 & URL encoder
ClientUTF-8 Base64 encode/decode and URL component encode/decode in one workspace—paste, transform, copy.
CRC-32 & CRC-32C
ClientIEEE CRC-32 and Castagnoli CRC32C on UTF-8 text or raw hex bytes—ZIP/PNG family vs iSCSI/protobuf; local only, complements file checksum for whole-file digests.