Skip to content

Instantly share code, notes, and snippets.

Last active Jun 14, 2021
What would you like to do?
Subresource Integrity (SRI)

Subresource Integrity (SRI)

The integrity property for scripts and stylesheets:


<!-- External scripts -->
<script integrity="sha512-aaaaaaaaa" crossorigin="anonymous" src="script.js"></script>

<!-- External stylesheets -->
<link integrity="sha512-aaaaaaaaa" crossorigin="anonymous" href="styles.css" rel="stylesheet">

<!-- Inline stylesheets -->
<style integrity="style-src 'sha512-aaaaaaaaa'">
body { ... }

Create a hash

You can have multiple hashes separated by a space, but the browser uses the highest so you might as well use only one (preferably sha-512 like Github).

Node uses crypto:

import {createHash} from "crypto";

const contents = Buffer.from("CONTENTS OF THE FILE");
const integrity = "sha512-" + createHash("sha512").update(contents).digest().toString("base64");

PHP uses hash:

$contents = file_get_contents("script.js");
$integrity = 'sha512-' . base64_encode(hash("sha512", $contents, true));

Plugins to inject integrity in HTML pages:

More tools:

Copy link

cecilemuller commented Jun 5, 2021

Also related:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment