Generate Subresource Integrity (SRI) hashes for scripts and stylesheets. Protect against CDN compromise and tampering
Your CI pipeline just failed with a cryptic integrity mismatch error, and you need to regenerate an SRI hash fast. This tool computes SHA-256, SHA-384, and SHA-512 hashes for any JavaScript or CSS file so browsers can verify CDN resources haven't been tampered with. Upload a file, paste code, or point it at a URL, you get a ready-to-paste integrity attribute in seconds.
Initializing in your browser…
Visual Content Security Policy builder. Create CSP headers to protect against XSS and code injection attacks
Generate ultra-secure passwords with presets (Simple to Paranoid), strength analysis, entropy calculation, crack time estimation, password history, and bulk generation
Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance
You load Alpine.js from a CDN and a security audit asks you to pin it with Subresource Integrity so a compromised CDN cannot inject code.
Script you want to lock down
<script src="https://cdn.example.com/alpine@3.13.0/dist/cdn.min.js"></script>
Hardened tag the tool returns
<script src="https://cdn.example.com/alpine@3.13.0/dist/cdn.min.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>The tool fetches (or reads) the exact bytes, computes a SHA-384 digest, and base64-encodes it into an `integrity` attribute. The digest is derived from the file content, so if even one byte of the delivered script changes, the hash will not match and the browser refuses to execute it.
`crossorigin="anonymous"` is added because the browser must perform a CORS fetch to read the bytes it needs to verify, without it, SRI silently fails.
Your CI pipeline just failed with a cryptic integrity mismatch error, and you need to regenerate an SRI hash fast. This tool computes SHA-256, SHA-384, and SHA-512 hashes for any JavaScript or CSS file so browsers can verify CDN resources haven't been tampered with. Upload a file, paste code, or point it at a URL, you get a ready-to-paste integrity attribute in seconds.
Every time you generate a hash, this tool runs the file's bytes through the browser's native WebCrypto API (crypto.subtle.digest) for all three algorithms at once: SHA-256, SHA-384, and SHA-512 are computed in parallel via Promise.all, not one at a time, so switching the algorithm selector afterward is instant and never re-reads the file. The crucial detail most generators get wrong is encoding: the integrity value is the raw digest bytes base64-encoded (the code builds a binary string from the Uint8Array with String.fromCharCode and runs btoa on it), NOT the hex string you would get from a command-line sha384sum. That is why an SRI hash looks like 'sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC' and not a 96-character hex string. The emitted attribute is always formatted as '<algorithm>-<base64>', e.g. sha384- prefixing the digest.
There are three input modes and they are not interchangeable in practice. The browse button's file picker is filtered to .js, .css, and .mjs (the drop zone itself will accept whatever file you drag in) and reads the file as an ArrayBuffer locally. The text/code box runs your pasted source through TextEncoder before hashing, which means it hashes the exact UTF-8 bytes you paste, so a stray trailing newline or different minification will produce a different hash than the file the CDN actually serves. The URL mode does a plain fetch() of the address, and because SRI verification itself requires CORS, this fetch is frequently blocked by the same-origin policy; the tool catches that TypeError and tells you to download the file and upload it directly instead. All hashing happens client-side in the browser, so nothing you paste or upload is sent to a server.
The output is built for copy-paste deployment, not just a bare hash. It generates a ready-made <script src="URL" integrity="..." crossorigin="anonymous"></script> and a <link rel="stylesheet" href="URL" integrity="..." crossorigin="anonymous"> with the literal 'URL' placeholder for you to swap in. The crossorigin="anonymous" is included deliberately: SRI only works on cross-origin resources when CORS is enabled, otherwise the browser refuses to read the bytes and blocks the resource. SHA-384 is the marked-recommended default (it is preselected on load and carries the 'Recommended' badge). The result panel also lists all three hashes at once and shows the byte size of what was hashed, which underscores the main SRI caveat: because the digest is byte-exact, a hash stays stable on a version-pinned CDN URL (jsdelivr/@1.2.3) but breaks on every upstream rebuild of a 'latest' or auto-minified URL, since any whitespace change alters the digest.
Paste the jQuery CDN URL, copy the generated integrity attribute, and add it to your <script> tag along with crossorigin="anonymous".
Generate an integrity hash for every third-party library you load, so a compromised CDN can't inject malicious code.
Automate SRI hash generation in your build pipeline to catch unexpected file changes before they reach production.
Satisfy CSP and audit requirements that mandate subresource integrity for externally hosted assets.
SHA-384 strikes the best balance between security strength and browser compatibility. SHA-256 is also fine for most projects.
The browser blocks the resource entirely, preventing potentially malicious code from running.
SRI requires CORS access to read the file contents for hash verification. Without the crossorigin attribute, the browser can't check the hash.
This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.