Outils HTML

Gratuit Générateur de hash SRI

Générez des hashs Subresource Integrity pour les fichiers script et stylesheet avec SHA-256, SHA-384 ou SHA-512.

Chargement de l'outil...

Qu'est-ce que Générateur de hash SRI ?

Subresource Integrity (SRI) is a browser security feature that verifies the content of external scripts and stylesheets. You add an integrity attribute to your script or link tag containing a cryptographic hash of the file. Before executing the file, the browser computes its hash and compares it to the integrity value. If the hashes do not match — because the file was modified, compromised, or corrupted — the browser blocks the resource.

Réponse rapide

Use Subresource Integrity (SRI) to protect your site from compromised CDN files. Generate a cryptographic hash of the file content, add the integrity attribute to your script or link tag, and include crossorigin='anonymous'. The browser blocks the resource if its actual hash does not match.

Limites

SRI only verifies the file content at load time. It does not protect against vulnerabilities within the loaded library itself (like XSS in an outdated jQuery version). Always keep libraries updated.
The hash must be regenerated every time the remote file changes. If you forget to update the integrity attribute after a library update, the resource is blocked and the page may break.
SRI does not work with resources that require credentials (cookies, HTTP auth) from a different origin. For credentialed cross-origin requests, use crossorigin='use-credentials' instead of 'anonymous'.

Comment utiliser cet outil

Provide the file content by pasting the code directly, uploading the file, or both (pasted content takes priority).
Select the hash algorithm — SHA-256 is the standard; SHA-384 and SHA-512 are also valid.
Copy the generated integrity attribute and the complete script or link tag into your HTML.

A quoi il sert

Add integrity checks to CDN-hosted scripts like jQuery, Bootstrap, or any third-party library.
Verify that a downloaded library file matches the expected hash before deploying to production.
Generate integrity attributes for self-hosted assets when using a CDN and subdomain for caching.

Cas d'usage

Exemples concrets

Exemple

Secure a CDN script tag

A site loads a utility library from a CDN. Generate the SRI hash from the exact file content, add the integrity attribute to the script tag, and include crossorigin='anonymous'. If the CDN file is ever tampered with, the browser refuses to execute it.

Exemple

Verify a downloaded library

A developer downloads a minified CSS framework and wants to confirm it has not been modified. Upload the file to generate its SHA-384 hash, then compare it with the hash published on the framework's official site.

Erreurs frequentes

Generating a hash from a development version of a file and using it on a different production version — the hashes will not match.
Forgetting the crossorigin='anonymous' attribute on the script or link tag, which prevents the browser from computing the hash for cross-origin resources.
Never updating the integrity hash after a CDN library upgrade — old hashes block the new file and break the page.

Vérification

Check the browser DevTools Network tab — a resource with a matching integrity hash loads normally; a mismatched resource is blocked in red with an SRI error.
Verify the generated hash by computing it independently: openssl dgst -sha256 -binary file.js | openssl base64 -A should match the generated integrity value.

FAQ

Questions sur Générateur de hash SRI

Do I need crossorigin='anonymous' for SRI to work?

Yes, if the resource is served from a different origin than your page. Without crossorigin='anonymous', the browser cannot compute the hash of a cross-origin resource and the integrity check is skipped. For same-origin resources, crossorigin is not required but is harmless to include.

What happens if the SRI hash does not match the file?

The browser refuses to execute the script or apply the stylesheet entirely. The resource is blocked and an error appears in the browser console. This protects your users from compromised CDN files, but it also means a legitimate file update without a corresponding hash update breaks your page.

Which hash algorithm should I use for SRI?

SHA-256 is the standard and most widely used. SHA-384 and SHA-512 are also valid and provide stronger collision resistance, but the larger hash values add more bytes to your HTML. For web use, SHA-256 is sufficient — the security comes from the integrity check itself, not the hash length.

Can I use SRI with dynamically loaded scripts?

SRI only works with static script and link tags in the HTML. For dynamically loaded scripts (via import() or appendChild), you can set the integrity property on the script element before appending it. Module scripts loaded with import() do not support SRI directly — use import maps with integrity instead.

Outils lies