Security Tools

SRI Hash Generator

Generate Subresource Integrity hashes for CDN scripts and stylesheets. SHA-256, SHA-384, SHA-512 with ready-to-paste script and link tags.

Source:

Asset URL

The file is fetched directly from your browser to the CDN. Major CDNs (jsdelivr, unpkg, cdnjs, esm.sh) send a permissive CORS header, so the fetch works. If a host blocks cross-origin requests, switch to File mode and drop the asset.

Try a sample:

What integrity does

The browser fetches the asset, hashes the response bytes, and compares the result to your integrity attribute. A mismatch blocks execution; the network panel will show the resource as blocked.
SHA-256, SHA-384, and SHA-512 are the only algorithms accepted by the spec. Use SHA-384 unless you have a reason not to.
Multiple hashes can be space-separated. The browser will validate against the strongest one it recognizes.
crossorigin="anonymous" is mandatory for SRI on cross-origin assets. Without it the browser treats the response as opaque and rejects the integrity check.

Privacy

Text, files, and URL responses are hashed in your browser with the Web Crypto API. The URL mode fetches directly from the CDN; nothing travels through a Zero Signup Tools server. Page reloads do not preserve any of the input.

How to use

Pick a source. URL fetches the asset directly from the CDN, Text hashes pasted file contents (UTF-8), and File hashes a local file (drop or choose).
Click Fetch & hash for URL mode, or paste/drop content for the other modes. Hashing runs locally; the URL request never goes through a Zero Signup Tools server.
Copy any single hash (sha256-..., sha384-..., sha512-...) or the combined space-separated string with the Copy all three button.
Toggle between <script> and <link> in the ready-to-paste tag panel and copy the full element to drop into your HTML.
Use SHA-384 unless you have a specific reason to use SHA-256 or SHA-512. crossorigin="anonymous" is required for SRI to validate a cross-origin asset.

About this tool

SRI Hash Generator computes Subresource Integrity (SRI) hashes for any CDN script or stylesheet, entirely in your browser. Subresource Integrity is the W3C feature that lets the browser verify the bytes it fetched from a third-party host match the bytes you signed off on. Add the integrity attribute to your <script> or <link rel="stylesheet"> tag and the browser refuses to execute or apply the resource if the file ever changes. Three input modes are supported: paste the asset contents, drop a local file (up to 50 MB), or paste the CDN URL and let the tool fetch it directly. Major CDNs (jsdelivr, unpkg, cdnjs, esm.sh, Google Fonts, bootstrapcdn) send a permissive CORS header, so cross-origin fetch works from the browser. All three SRI-spec algorithms (SHA-256, SHA-384, SHA-512) are produced at once, each as the canonical sha<bits>-<base64> token the integrity attribute expects, with one-click copy. The tool also outputs a ready-to-paste <script> tag (or <link rel="stylesheet"> tag) using SHA-384 (the recommended baseline) plus crossorigin="anonymous" and referrerpolicy="no-referrer", which are the attributes the SRI spec requires for cross-origin validation. Hashing uses the Web Crypto SubtleCrypto.digest API, exactly the same primitive the browser will use to validate the integrity attribute on the next page load, so the digest is guaranteed to match. Nothing about the file, URL, or pasted text travels through a Zero Signup Tools server; the URL fetch goes from your browser straight to the CDN.

Free to use. Works in your browser. No signup, no login.

Related tools

SRI Hash Generator

How to use

About this tool

You may also like

SHA-256 Hash Generator

MD5 Hash Generator

HMAC Generator

CSP Header Generator

Cache-Control Header Builder

SRI Hash Generator