Skip to main content
L
Loopaloo
Buy Us a Coffee
All ToolsImage ProcessingAudio ProcessingVideo ProcessingDocument & TextPDF ToolsCSV & Data AnalysisConverters & EncodersWeb ToolsMath & ScienceGames
Guides & BlogAboutContact
Buy Us a Coffee
L
Loopaloo

Free online tools for developers, designers, and content creators. All processing happens entirely in your browser - your files never leave your device. No uploads, no accounts, complete privacy.

support@loopaloo.com

Tool Categories

  • Image Tools
  • Audio Tools
  • Video Tools
  • Document & Text
  • PDF Tools
  • CSV & Data
  • Converters
  • Web Tools
  • Math & Science
  • Games

Company

  • About Us
  • Contact
  • Blog
  • FAQ

Legal

  • Privacy Policy
  • Terms of Service
  • Disclaimer

Support

Buy Us a Coffee

© 2026 Loopaloo. All rights reserved. Built with privacy in mind.

Privacy|Terms|Disclaimer
  1. Home
  2. Web Tools
  3. SRI Hash Generator
Add to favorites

SRI Hash Generator

Generate Subresource Integrity (SRI) hashes for scripts and stylesheets. Protect against CDN compromise and tampering

Your CI pipeline just failed with a cryptic integrity mismatch error, and you need to regenerate an SRI hash fast. This tool computes SHA-256, SHA-384, and SHA-512 hashes for any JavaScript or CSS file so browsers can verify CDN resources haven't been tampered with. Upload a file, paste code, or point it at a URL, you get a ready-to-paste integrity attribute in seconds.

Runs locally in your browserMore web toolsJump to full guide

Related reading

  • Content Security Policy: Protecting Your Website from Injection Attacks15 min read

Initializing in your browser…

You might also like

CSP Builder

Visual Content Security Policy builder. Create CSP headers to protect against XSS and code injection attacks

Password Generator

Generate ultra-secure passwords with presets (Simple to Paranoid), strength analysis, entropy calculation, crack time estimation, password history, and bulk generation

CSR Generator

Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance

SRI Hash Generator: a worked example

You load Alpine.js from a CDN and a security audit asks you to pin it with Subresource Integrity so a compromised CDN cannot inject code.

Script you want to lock down

<script src="https://cdn.example.com/alpine@3.13.0/dist/cdn.min.js"></script>
SRI Hash Generator produces

Hardened tag the tool returns

<script src="https://cdn.example.com/alpine@3.13.0/dist/cdn.min.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

The tool fetches (or reads) the exact bytes, computes a SHA-384 digest, and base64-encodes it into an `integrity` attribute. The digest is derived from the file content, so if even one byte of the delivered script changes, the hash will not match and the browser refuses to execute it.

`crossorigin="anonymous"` is added because the browser must perform a CORS fetch to read the bytes it needs to verify, without it, SRI silently fails.

About the SRI Hash Generator

Your CI pipeline just failed with a cryptic integrity mismatch error, and you need to regenerate an SRI hash fast. This tool computes SHA-256, SHA-384, and SHA-512 hashes for any JavaScript or CSS file so browsers can verify CDN resources haven't been tampered with. Upload a file, paste code, or point it at a URL, you get a ready-to-paste integrity attribute in seconds.

Key features

  • SHA-256, SHA-384, and SHA-512 output
  • Drag-and-drop file upload
  • URL fetching when CORS allows
  • Ready-to-use <script> and <link> tags
  • Entirely client-side, nothing leaves your browser

How to use

  1. 1Upload a JS or CSS file, paste code directly, or enter a URL.
  2. 2Choose your hash algorithm, SHA-384 is the recommended default.
  3. 3Copy the generated integrity attribute or the full HTML tag.
  4. 4Add crossorigin="anonymous" to your script or link element.

How it works

Every time you generate a hash, this tool runs the file's bytes through the browser's native WebCrypto API (crypto.subtle.digest) for all three algorithms at once: SHA-256, SHA-384, and SHA-512 are computed in parallel via Promise.all, not one at a time, so switching the algorithm selector afterward is instant and never re-reads the file. The crucial detail most generators get wrong is encoding: the integrity value is the raw digest bytes base64-encoded (the code builds a binary string from the Uint8Array with String.fromCharCode and runs btoa on it), NOT the hex string you would get from a command-line sha384sum. That is why an SRI hash looks like 'sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC' and not a 96-character hex string. The emitted attribute is always formatted as '<algorithm>-<base64>', e.g. sha384- prefixing the digest.

There are three input modes and they are not interchangeable in practice. The browse button's file picker is filtered to .js, .css, and .mjs (the drop zone itself will accept whatever file you drag in) and reads the file as an ArrayBuffer locally. The text/code box runs your pasted source through TextEncoder before hashing, which means it hashes the exact UTF-8 bytes you paste, so a stray trailing newline or different minification will produce a different hash than the file the CDN actually serves. The URL mode does a plain fetch() of the address, and because SRI verification itself requires CORS, this fetch is frequently blocked by the same-origin policy; the tool catches that TypeError and tells you to download the file and upload it directly instead. All hashing happens client-side in the browser, so nothing you paste or upload is sent to a server.

The output is built for copy-paste deployment, not just a bare hash. It generates a ready-made <script src="URL" integrity="..." crossorigin="anonymous"></script> and a <link rel="stylesheet" href="URL" integrity="..." crossorigin="anonymous"> with the literal 'URL' placeholder for you to swap in. The crossorigin="anonymous" is included deliberately: SRI only works on cross-origin resources when CORS is enabled, otherwise the browser refuses to read the bytes and blocks the resource. SHA-384 is the marked-recommended default (it is preselected on load and carries the 'Recommended' badge). The result panel also lists all three hashes at once and shows the byte size of what was hashed, which underscores the main SRI caveat: because the digest is byte-exact, a hash stays stable on a version-pinned CDN URL (jsdelivr/@1.2.3) but breaks on every upstream rebuild of a 'latest' or auto-minified URL, since any whitespace change alters the digest.

Examples

  • Lock down jQuery from a CDN

    Paste the jQuery CDN URL, copy the generated integrity attribute, and add it to your <script> tag along with crossorigin="anonymous".

Tips & best practices

  • Always use SHA-384 for new projects, it's the W3C recommended default.
  • Pin your CDN URLs to a specific version so the hash stays stable across deployments.
  • Include multiple hashes (sha384-… sha512-…) if you want a migration path between algorithms.

Practical scenarios

  • Locking down CDN scripts

    Generate an integrity hash for every third-party library you load, so a compromised CDN can't inject malicious code.

  • CI/CD integrity checks

    Automate SRI hash generation in your build pipeline to catch unexpected file changes before they reach production.

  • Security compliance

    Satisfy CSP and audit requirements that mandate subresource integrity for externally hosted assets.

Frequently asked questions

Which algorithm should I pick?

SHA-384 strikes the best balance between security strength and browser compatibility. SHA-256 is also fine for most projects.

What happens when the hash doesn't match?

The browser blocks the resource entirely, preventing potentially malicious code from running.

Why do I need crossorigin="anonymous"?

SRI requires CORS access to read the file contents for hash verification. Without the crossorigin attribute, the browser can't check the hash.

Related tools and how they differ

  • Hash Generator: Produces raw hex or base64 SHA digests of typed text plus HMAC and password checks; use it for general string hashing, not HTML integrity tags.
  • Checksum Calculator: Hashes whole files and checks one against an expected value; use it to confirm a download was not corrupted, not to generate a CDN integrity attribute.
  • CSP Builder: Builds Content-Security-Policy headers by whitelisting allowed script/style/image sources; use it to block injected XSS, not to pin one file's hash.
  • URL Safety Analyzer: Vets an inbound link for phishing, lookalike domains, and shorteners before you click; use it to protect yourself reading a link, not to lock a CDN asset.

Further reading

  • Content Security Policy: Protecting Your Website from Injection Attacks15 min read

Private by design

This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.