Pin your CDN scripts against supply chain attacks.
Paste any external script or stylesheet URL and get a complete HTML tag with the correct integrity attribute. The hash is computed in your browser using the Web Crypto API.
How SRIGen works
- 1
Paste a CDN URL
Enter the full URL of any external JavaScript or CSS file. SRIGen auto-detects whether it's a script or stylesheet based on the file extension.
- 2
File is fetched in your browser
The tool makes a standard fetch() request from your browser to the CDN. The file content never leaves your machine or touches any server.
- 3
Hash is computed locally
Using the Web Crypto API (crypto.subtle.digest), SRIGen computes SHA-256, SHA-384, and SHA-512 hashes of the raw file bytes, then base64-encodes them.
- 4
Complete HTML tag is generated
The output is a ready-to-paste <script> or <link> tag with the integrity attribute and crossorigin="anonymous" already included. No assembly required.
- 5
Copy and deploy
Click the copy button and replace your existing script/link tag with the integrity-protected version. The browser will now refuse to execute the file if anyone modifies it on the CDN.
What SRI protects against
Subresource Integrity is a single-purpose defense: it ensures the file your browser downloads is byte-for-byte identical to the file you expected. If anything changes, execution is blocked.
- CDN key compromise (like the June 2026 OptinMonster attack)
- CDN account takeover or rogue employee with deployment access
- Man-in-the-middle modification of CDN responses (e.g. compromised Wi-Fi)
- Accidental file corruption or CDN cache poisoning
- CDN domain expiration and re-registration by an attacker
- Vulnerabilities in the legitimate script code (use auditing tools instead)
- Scripts you host on your own origin (use CSP for that)
- First-party supply chain attacks (compromised build pipeline)
- Scripts loaded dynamically by other scripts at runtime
SRI syntax reference
The integrity attribute uses a simple format: the algorithm name, a hyphen, and the base64-encoded hash.
<script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"
integrity="sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz"
crossorigin="anonymous"
></script><link
rel="stylesheet"
href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css"
integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YcnS/Kla5tLqp7T8EZQ4LGb7R+tQ7dMKV0p"
crossorigin="anonymous"
/><!-- Browser uses the strongest algorithm it supports -->
<script
src="https://cdn.example.com/lib.js"
integrity="sha256-abc123... sha384-def456... sha512-ghi789..."
crossorigin="anonymous"
></script>Key requirements
- The
crossorigin="anonymous"attribute is mandatory for cross-origin resources - The CDN must serve
Access-Control-Allow-Originheaders (most public CDNs do) - If the file content changes (new version, CDN update), the hash must be regenerated
- Pin your CDN URLs to a specific version (e.g.
@5.3.3) so the content doesn't change unexpectedly
When to use SRI
| Scenario |
|---|
| Loading Bootstrap from jsDelivr |
| Google Fonts stylesheets |
| jQuery from cdnjs |
| Analytics/widget SDKs |
| WordPress plugin CDN scripts |
| Security audit (batch mode) |
Frequently Asked Questions
What is Subresource Integrity (SRI)?
Subresource Integrity is a browser security feature that lets you verify that files loaded from third-party CDNs haven't been tampered with. You add an integrity attribute to your <script> or <link> tag containing a cryptographic hash of the expected file content.
When the browser downloads the file, it independently computes the hash and compares it to the one you specified. If they don't match (even by a single byte), the browser refuses to execute the file. This prevents CDN supply chain attacks where an attacker modifies a file on a compromised CDN.
How do I generate an SRI hash?
SRIGen computes the hash directly in your browser using the Web Crypto API. Paste the CDN URL, click Generate, and copy the complete HTML tag. Alternatively, you can generate hashes from the command line:
# Generate SHA-384 hash for a remote file
curl -s "https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js" \
| openssl dgst -sha384 -binary | openssl base64 -A
# Generate hash for a local file
cat ./vendor/library.js | openssl dgst -sha384 -binary | openssl base64 -AWhat hash algorithm should I use for SRI?
SHA-384 is recommended. It provides a strong security guarantee while being shorter than SHA-512. All modern browsers support SHA-256, SHA-384, and SHA-512 for SRI. The W3C SRI specification recommends SHA-384 as the default.
SHA-256 is acceptable but shorter (less collision-resistant in theory). SHA-512 is overkill for this use case and produces unnecessarily long integrity strings. If you have no specific reason to choose otherwise, use SHA-384.
Does SRI protect against CDN supply chain attacks?
Yes. SRI is specifically designed for this threat model. In the June 2026 OptinMonster CDN supply chain attack, attackers modified JavaScript files on the CDN while keeping the URL unchanged. If those script tags had included SRI integrity attributes, browsers would have refused to execute the modified files because the hash would not match.
SRI protects against: CDN compromises, CDN key theft, man-in-the-middle attacks on CDN connections, and accidental file corruption. SRI does NOT protect against attacks on files you host yourself (use CSP for that) or vulnerabilities in the legitimate script code.
Why is crossorigin='anonymous' required for SRI?
The crossorigin="anonymous" attribute is required when using SRI with resources from a different origin (domain). Without it, the browser treats the response as opaque and cannot read its content to verify the hash, causing the integrity check to always fail.
This attribute tells the browser to make a CORS request without sending credentials (cookies, auth headers). The CDN must respond with appropriate Access-Control-Allow-Origin headers. Most public CDNs (jsDelivr, cdnjs, unpkg, Google Fonts) already support this.
What if the CDN URL gives a CORS error?
If the CDN doesn't serve CORS headers, the browser-based SRIGen tool cannot fetch the file. This is uncommon for public CDN resources but can happen with private or enterprise CDNs. In that case, use the command-line alternative:
# Download the file and compute the hash locally
curl -s "https://private-cdn.example.com/lib.js" | openssl dgst -sha384 -binary | openssl base64 -A
# Then construct the tag manually:
# <script src="..." integrity="sha384-[output]" crossorigin="anonymous"></script>Note: if a CDN doesn't support CORS, SRI will also fail in production (the browser needs CORS to verify the hash). You may need to self-host the resource or ask the CDN provider to enable CORS headers.