SRI Hash Generator

SRI supports SHA-256, SHA-384, SHA-512. Recommendations: SHA-384 most common (balance of security and size), SHA-512 maximum security (longer hash), SHA-256 faster but less secure (still acceptable). You can specify multiple: integrity="sha384-abc123 sha512-def456" (browser uses strongest it supports). Performance: negligible difference for small files, SHA-384 recommended by most CDNs (jsdelivr, cdnjs). Hash format: algorithm-base64hash. Example: "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC". Security: all three are cryptographically secure for SRI purpose. This tool generates all three algorithms - choose based on your security policy.

Add integrity and crossorigin attributes to script/link tags. Steps: 1) Get hash from CDN (many provide it) or generate with this tool. 2) Add to HTML: <script src="https://cdn.jsdelivr.net/npm/vue@3" integrity="sha384-..." crossorigin="anonymous"></script>. 3) Test: browser console shows error if hash mismatch. Requirements: crossorigin attribute required (CORS), HTTPS only (SRI does not work on HTTP), same hash for same file (cache-friendly). Common CDNs with SRI: jsdelivr.com (shows SRI hash), cdnjs.com (copy SRI button), unpkg.com (generate hash). For self-hosted: generate hash during build, include in HTML templates. This tool generates production-ready SRI snippets.

Browser blocks resource execution and fires error event. Console shows: "Failed to find a valid digest in the 'integrity' attribute for resource 'URL'". Consequences: script does not run (may break page functionality), CSS does not apply (visual issues), onerror event fires (can catch with JavaScript). Common causes: file updated on CDN (new version), typo in hash value, wrong file URL, CORS misconfiguration (missing crossorigin). Debugging: check browser console, verify file content matches hash, regenerate hash, ensure CORS headers present. Fallback strategy: use <script onerror="..."> handler to load local copy if CDN fails. Update hashes when upgrading library versions. This tool helps verify current file matches expected hash.

Integrate into build pipeline for automated hash generation. Methods: webpack-subresource-integrity plugin (Webpack), vite-plugin-sri (Vite), generate with command line: openssl dgst -sha384 -binary file.js | openssl base64 -A, Node.js script with crypto module. Build process: 1) Build assets (minify JS/CSS). 2) Generate SRI hash for each file. 3) Inject into HTML template. 4) Deploy assets and HTML together. Version control: commit hashes with code, update on file changes only. CI/CD: automate hash generation on every deployment. Popular tools handle automatically. This tool useful for: local development, manual verification, one-off hash generation, learning SRI concepts.

SRI only works for external resources (separate file URLs), not inline scripts/styles. Inline scripts have no integrity attribute. External scripts with src attribute pointing to https://cdn.example.com/file.js with integrity attribute work with SRI. For dynamic content: if file changes frequently, SRI problematic (hash changes). Solutions: versioned URLs (lib-v1.2.3.js), build-time hash generation, accept hash updates on deployments. Dynamic loading (JavaScript): fetch with integrity check using the Fetch API. Service workers: verify hashes in SW logic. If content truly dynamic (user-generated, personalized), SRI not applicable - use other security measures (CSP, input sanitization). This tool generates hashes for static resources, the primary SRI use case.

SRI and CSP are complementary security mechanisms. CSP: defines which domains can load resources (script-src, style-src). SRI: verifies resource content has not changed. Together: CSP allows cdn.example.com, SRI verifies specific file hash. Example: CSP header Content-Security-Policy: script-src 'self' https://cdn.example.com, HTML: <script src="https://cdn.example.com/lib.js" integrity="sha384-...">. CSP controls source, SRI controls content. Best practice: use both - CSP prevents unauthorized sources, SRI prevents compromised allowed sources. Modern security: CSP + SRI + HTTPS = layered defense. This tool focuses on SRI hash generation - combine with CSP headers for complete protection.

Browser support: all modern browsers (Chrome 45+, Firefox 43+, Safari 11.1+, Edge 17+). IE 11 doesn't support (ignores integrity attribute). Limitations: HTTPS only (no SRI on HTTP), requires CORS (crossorigin attribute), doesn't work for inline scripts, hash updates needed on file changes, doesn't prevent all attacks (can block if CDN fully compromised). Not a replacement for: code review, dependency scanning, CSP, regular security updates. Best for: third-party CDN resources, static assets, public libraries. Performance: minimal overhead (hash verification is fast). Fallback: older browsers ignore integrity attribute gracefully, still load resource. This tool generates cross-browser compatible SRI hashes following W3C standard.