SRI Hash Generator

SRI supports SHA-256, SHA-384, SHA-512. Recommendations: SHA-384 most common (balance of security and size), SHA-512 maximum security (longer hash), SHA-256 faster but less secure (still acceptable). You can specify multiple: integrity="sha384-abc123 sha512-def456" (browser uses strongest it supports). Performance: negligible difference for small files, SHA-384 recommended by most CDNs (jsdelivr, cdnjs). Hash format: algorithm-base64hash. Example: "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC". Security: all three are cryptographically secure for SRI purpose. This tool generates all three algorithms - choose based on your security policy.

Add integrity and crossorigin attributes to script/link tags. Steps: 1) Get hash from CDN (many provide it) or generate with this tool. 2) Add to HTML: . 3) Test: browser console shows error if hash mismatch. Requirements: crossorigin attribute required (CORS), HTTPS only (SRI doesn't work on HTTP), same hash for same file (cache-friendly). Common CDNs with SRI: jsdelivr.com (shows SRI hash), cdnjs.com (copy SRI button), unpkg.com (generate hash). For self-hosted: generate hash during build, include in HTML templates. This tool generates production-ready SRI snippets.

Browser blocks resource execution and fires error event. Console shows: "Failed to find a valid digest in the 'integrity' attribute for resource 'URL'". Consequences: script doesn't run (may break page functionality), CSS doesn't apply (visual issues), onerror event fires (can catch with JavaScript). Common causes: file updated on CDN (new version), typo in hash value, wrong file URL, CORS misconfiguration (missing crossorigin). Debugging: check browser console, verify file content matches hash, regenerate hash, ensure CORS headers present. Fallback strategy:

Integrate into build pipeline for automated hash generation. Methods: webpack-subresource-integrity plugin (Webpack), vite-plugin-sri (Vite), generate with command line: openssl dgst -sha384 -binary file.js | openssl base64 -A, Node.js script with crypto module. Build process: 1) Build assets (minify JS/CSS). 2) Generate SRI hash for each file. 3) Inject into HTML template. 4) Deploy assets and HTML together. Version control: commit hashes with code, update on file changes only. CI/CD: automate hash generation on every deployment. Popular tools handle automatically. This tool useful for: local development, manual verification, one-off hash generation, learning SRI concepts.

SRI only works for external resources (separate file URLs), not inline scripts/styles. Inline scripts have no integrity attribute. External scripts with src attribute pointing to https://cdn.example.com/file.js with integrity attribute work with SRI. For dynamic content: if file changes frequently, SRI problematic (hash changes). Solutions: versioned URLs (lib-v1.2.3.js), build-time hash generation, accept hash updates on deployments. Dynamic loading (JavaScript): fetch with integrity check using the Fetch API. Service workers: verify hashes in SW logic. If content truly dynamic (user-generated, personalized), SRI not applicable - use other security measures (CSP, input sanitization). This tool generates hashes for static resources, the primary SRI use case.

SRI and CSP are complementary security mechanisms. CSP: defines which domains can load resources (script-src, style-src). SRI: verifies resource content hasn't changed. Together: CSP allows cdn.example.com, SRI verifies specific file hash. Example: CSP: Content-Security-Policy: script-src 'self' https://cdn.example.com, HTML:

Browser support: all modern browsers (Chrome 45+, Firefox 43+, Safari 11.1+, Edge 17+). IE 11 doesn't support (ignores integrity attribute). Limitations: HTTPS only (no SRI on HTTP), requires CORS (crossorigin attribute), doesn't work for inline scripts, hash updates needed on file changes, doesn't prevent all attacks (can block if CDN fully compromised). Not a replacement for: code review, dependency scanning, CSP, regular security updates. Best for: third-party CDN resources, static assets, public libraries. Performance: minimal overhead (hash verification is fast). Fallback: older browsers ignore integrity attribute gracefully, still load resource. This tool generates cross-browser compatible SRI hashes following W3C standard.