Subresource Integrity Calculator
'/%3E%3Ccircle cx='48' cy='39' r='19' fill='%23f2c9a5'/%3E%3Cpath d='M27 35c3-16 39-17 42 2-8-8-27-9-42-2z' fill='%23374151'/%3E%3Cpath d='M21 86c5-24 49-28 56 0z' fill='%232563eb'/%3E%3Ccircle cx='41' cy='41' r='2' fill='%23111827'/%3E%3Ccircle cx='55' cy='41' r='2' fill='%23111827'/%3E%3Cpath d='M42 52c4 3 9 3 13 0' stroke='%2392400e' stroke-width='3' fill='none' stroke-linecap='round'/%3E%3C/svg%3E)
Reviewed by Calculator Editorial Team
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (like JavaScript or CSS) are delivered without unexpected manipulation. This calculator helps you generate and verify SRI hashes for your web resources.
What is Subresource Integrity?
Subresource Integrity (SRI) is a security mechanism that allows web developers to ensure that resources they load (such as JavaScript files, CSS files, or web fonts) have not been tampered with. It works by requiring the browser to verify the integrity of these resources using cryptographic hashes.
SRI is particularly important for loading third-party resources where you can't control the content delivery. It helps prevent attacks where malicious actors might inject harmful code into these resources.
Why Use Subresource Integrity?
Using SRI provides several benefits:
- Prevents man-in-the-middle attacks by verifying resource integrity
- Ensures resources haven't been modified after being cached
- Provides an additional layer of security for critical resources
- Helps meet security requirements for compliance standards
How to Use This Calculator
This calculator allows you to:
- Enter the content of your resource (JavaScript, CSS, or other text-based content)
- Select the hash algorithm (SHA-256, SHA-384, or SHA-512)
- Generate the integrity hash for your resource
- Verify existing hashes against your content
The calculator uses the Web Crypto API to generate cryptographic hashes of your input content. The formula is:
hash = await crypto.subtle.digest(algorithm, content)
The result is then encoded as a base64 string.
Example Usage
If you have a JavaScript file with the content:
console.log("Hello, world!");Using SHA-256, the calculator would generate a hash that looks like:
sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=You would then include this in your HTML like this:
<script src="example.js" integrity="sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" crossorigin="anonymous"></script>How Subresource Integrity Works
The SRI process involves these key steps:
- Generate a cryptographic hash of your resource file
- Encode the hash in base64
- Add the integrity attribute to your HTML element
- The browser verifies the hash when loading the resource
Supported Hash Algorithms
SRI supports several hash algorithms, each with different security characteristics:
| Algorithm | Output Size (bits) | Security Level |
|---|---|---|
| SHA-256 | 256 | Good for most use cases |
| SHA-384 | 384 | Higher security, slightly slower |
| SHA-512 | 512 | Highest security, slowest |
For most web applications, SHA-256 provides a good balance between security and performance. The higher-bit algorithms are only necessary for very sensitive applications.
Best Practices for SRI
When implementing SRI, consider these best practices:
- Always use HTTPS to ensure resources are delivered securely
- Include the crossorigin attribute when loading external resources
- Test your SRI implementation in multiple browsers
- Consider using a Content Security Policy (CSP) alongside SRI
- Regularly update your resource hashes when they change
Common Pitfalls
Avoid these common mistakes when working with SRI:
- Not including the crossorigin attribute when loading external resources
- Using HTTP instead of HTTPS for resource delivery
- Not updating hashes when resources change
- Using weak hash algorithms for sensitive resources
- Not testing your implementation in multiple browsers