SRI Hash Generator – Generate Integrity Attributes for Scripts
Paste the content of a JavaScript or CSS file and get its SHA‑256, SHA‑384, or SHA‑512 integrity hash. Build the full <script> tag with crossorigin.
UD5 Toolkit
Generate Subresource Integrity hashes for your CDN scripts and stylesheets.
Drag & drop your file here
or click to browse
Generating SRI hash...
integrity attribute of <script> or <link> tags. If the hashes don't match, the browser blocks the resource from loading, protecting your users from potential supply-chain attacks or compromised CDN files.
crossorigin attribute controls how the browser handles cross-origin requests for the resource. For SRI to work properly on cross-origin resources (like CDN files), the resource must be served with the appropriate CORS headers. The crossorigin="anonymous" setting sends the request without credentials (cookies, HTTP auth), while crossorigin="use-credentials" includes them. Most CDN resources work with anonymous. If you omit crossorigin on a cross-origin resource, SRI verification will fail silently in some browsers. For same-origin resources, the crossorigin attribute is not required.
<script> or <link> tag. For example:<script src="https://cdn.example.com/lib.js"></script><script src="https://cdn.example.com/lib.js" integrity="sha384-xxxxx" crossorigin="anonymous"></script>integrity and crossorigin attributes, ready to paste into your HTML.
integrity attribute and load the resource normally, so adding SRI hashes causes no breakage for legacy browsers.
jquery@3.7.1 rather than jquery@latest) so that the file content is immutable. When you intentionally upgrade a library, you must regenerate the SRI hash for the new version. This tool makes that process quick and easy.
script-src). SRI ensures that resources from allowed sources haven't been modified. You can (and should) use both together: CSP to restrict which CDNs are permitted, and SRI to verify the integrity of the files served by those CDNs. When used together, they provide defense-in-depth against XSS and supply-chain attacks. Starting with CSP Level 3, you can even require SRI for certain resource types using the require-sri-for directive.
fetch API. The content is processed entirely on your device — it is never sent to any server. The hash is computed locally using the browser's built-in Web Crypto API. If a CDN does not support CORS (Cross-Origin Resource Sharing), the fetch may fail; in that case, you can download the file and use the Upload File or Paste Content options instead.
Paste the content of a JavaScript or CSS file and get its SHA‑256, SHA‑384, or SHA‑512 integrity hash. Build the full <script> tag with crossorigin.
Paste a hash and the tool guesses which algorithm created it based on length and format. Useful for forensic analysis.
Generate a BLAKE3 hash of any text or file. Extremely fast. Perfect for checksums and content addressing. Local.
Generate SHA‑3 and SHAKE hashes of any text with configurable output length. All local using js library.
Generate SHA‑1, SHA‑256, SHA‑512, and SHA‑3 digests of any text or file. Verify integrity. All in your browser.
Generate a bcrypt hash from a password with configurable salt rounds. Verify a password against a hash. Entirely client‑side.
Generate Argon2id hashes in the browser using a WASM compilation. Choose memory, iterations, and parallelism. Secure local hashing.
Hash passwords using the bcrypt algorithm with configurable cost factor. Also verify a password against a stored hash. All local.
Generate the MD5 hash of any text string. For quick integrity checks. All local computation.
Hash any text using simple, fast algorithms: DJB2, SDBM, or CRC32. Get integer or hex. For quick lookups. Local.
Generate cryptographic and checksum hashes for any text string. Supports MD5, SHA-1, SHA-256, and CRC32. All hashing runs locally for maximum privacy.